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ABSTRACT 


Rapid technological advancements and societal inclusion of these technologies have 
expanded civil and defense capabilities but have also created significant vulnerabilities. 
Cyber-weapons have the potential to affect interaction between states by exploiting this 
vulnerability. To better understand the mechanics of how cyber-weapons affect state 
relations this research applies a common framework to explore the attributes of 
traditional weapons—conventional, nuclear, and RMA—and how they typically 
influence this behavior. After proposing selected factors that influence the effectiveness 
of a cyber-attack, the research examines the cyber-attacks in 2007 on Estonia and 2008 
on Georgia in order to refine and provide nuanced analysis on the role of the proposed 
causal factors. The proposed factors are government involvement, level of attack 
sophistication, and the degree to which the state is dependent upon digitally connected 
technology. The research indicates that the role of the state is one of the most significant 
factors in influencing the effectiveness of a cyber-attack and highlights the role that 
plausible deniability plays in this relationship. Some initial policy recommendations are 
made based on the finding that the use of cyber-weapons as a deterrent is still ill-defined 
and that the focus should be on decreasing state vulnerability to these attacks. 
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I. 


INTRODUCTION 


A. OVERVIEW 

The level of dependence upon technology by state and non-state actors varies 
widely but is undisputedly increasing. Many states depend upon technology to help 
simplify and expedite complex processes such as irrigation, telecommunications, air 
traffic control, economic market interaction, national security, and weapons production. 
Counties such as the Netherlands, Canada, and Denmark have over 90 Internet users per 
100 people. Less dependent counties have minimal reliance upon digital connectivity and 
it has little effect on the daily lives of its citizens. Somalia and Afghanistan, for example, 
have less than five Internet users per 100 people. ^ While the percentage of Internet users 
is not a direct indication of how dependent a state is upon digital connectivity, it does 
provide valuable insight into their degree of vulnerability. This vulnerability provides an 
attack surface that adversaries can exploit in order to affect the actions of a state. 

An accurate grasp of the nature of a state’s dependence upon networked, and 
vulnerable, technology is important but is insufficient to effectively affect that state’s 
behavior. It is also essential to understand the nature and rules of state interaction. Using 
a common framework developed upon the structural Realist school of thought from the 
theoretical study of international relations, it is possible to look at how various forms of 
technology, and the weapons that were made available as a result of such technology, 
altered the way that states commonly interacted.^ For instance, the conventional military 
force of a given state provides credibility based upon its capacity to inflict harm. States 
that have a weak military have a correspondingly low ability to affect the behavior of 
another state because they lack the ability to force that state’s behavior. Likewise, a 
strong military capability normally indicates the capacity to change a state’s behavior. 
Deterrence is the manipulation of this capability to prevent certain behavior. The horrible 
effects of nuclear weapons had a tremendous influence on the possessing state’s ability to 


1 The World Bank, Internet Users (per 100), http://data.worldbank.org/indicator/IT.NET.USER.P2 , 

2 Kenneth Waltz, Theory of International Politics (Random House: New York, 1979), 113. 
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deter another’s behavior, and this relationship was further changed when opposing states 
both possessed nuclear capability. Significant advances in technology over the last three 
decades have made both conventional and nuclear weapons so precise that they altered 
the nature of deterrent threats. Whereas the destruction assured by the employment of 
nuclear weapons was a substantial aspect of its deterrent effect, recent advances in PGM 
and drone technology facilitated pinpoint destruction. Some of the additional benefits of 
this technology that affected its capacity to deter included the ability for covert 
employment and limited collateral damage. 

The rapid increase in the capabilities of cyber-technologies has made it a nearly 
indispensable aspect of the developed world. Additionally, this technology has created a 
considerable vulnerability for its employers. Stuxnet provided the world with an example 
of how cyber-weapons could be used as a destructive weapon with strategic 
consequences.3 The degree to which cyber-weapons could potentially affect a state that 
relies on digital technology is left largely to the imagination. Although international law 
is still murky as to when cyber-attacks constitute an armed attack, it is certainly clear that 
instances of cyber-attack are an increasingly occurring and persistent problem.^ With 
this in mind it is essential to examine the basic characteristics of cyber-weapons and the 
impact that they have on interstate relations. 

B. PURPOSE 

The purpose of this research is to gain insight as to how the offensive application 
of cyber-weapons might affect deterrent interaction between states. While there is a 
robust body of research that examines the deterrent characteristics of conventional, 
nuclear, and RMA-enabled weapons, the field is still relatively nascent in its examination 
of offensively-employed cyber-weapons. This research intends to establish a common 
framework by which to examine the effectiveness of tools of force (conventional, 
nuclear, and RMA) and apply this framework to empirical case studies where cyber- 


3 Andrew Foltz, “Stuxnet, Schmitt Analysis, and the Cyber ‘Use of Force’ Debate,” Joint Force 
Quarterly 67, no. 4 (2012): 41. 

^ Scott Shackelford, “Estonia Three Years Later,” Journal of Internet Law 8, no. 13 (2010): 25. 
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weapons were employed offensively. By examining selected and seemingly relevant 
factors that influence the effectiveness of a cyber-attack, the intent is to explore these 
causal factors specifically throughout each case study in order to draw some 
conclusions.5 The conclusions should help solidify the relationship between the selected 
factors and consequent level of effectiveness, and thereby further the understanding of 
how cyber-weapons are employed to affect interaction between states. 

C. RELEVANCE 

This research is relevant because the continuing advances and expanding 
dependency upon technology create a legitimate vulnerability for an aggressor to exploit. 
It is imperative to understand the characteristics of successfully employed cyber-weapons 
and examine the factors that played a role in their ultimate level of effectiveness. This 
allows relevant stake-holders of cyber-policy to understand the potential dynamics that 
are in play when cyber-weapons are being used. In turn, it lends some predictability to 
assessment efforts in situations where an aggressor state may employ cyber-weapons. 

Potential recommendations based on this research could advocate that possession 
of offensive cyber-attack capability is a useful tool with which to influence the behavior 
of other states. It could also reveal that the costs are too great at this time, that technology 
is too immature, or that there are a number of other factors which would limit or prohibit 
its inclusion. Examining this problem could highlight some of the policy gaps that 
currently exist in the burgeoning field of cyber-strategy, as well as increase the 
effectiveness of the nation’s offensive cyber-strategy. 

D. THESIS ORGANIZATION 

This thesis begins by examining the underlying principles and assumptions that 
explain how states interact in accordance with traditional structural realist theory. One of 
the primary assumptions is that the international arena is an anarchic system 

5 This approach to the study of deterrence cases is outlined in Robert Jervis, “Introduction; Approach 
and Assumptions,” in Psychology and Deterrence, eds. Robert Jervis, Ned Lebow, and Janice Stein 
(Baltimore: Johns Hopkins Press, 1985), 34. 
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characterized by struggle between states. A state’s self-seeking behavior is tempered by 
the understanding that an overly aggressive approach will likely invoke response from 
other states.6 To refine this approach, a basic game theoretic model is presented that, 
given certain assumptions, demonstrates that there is always a bargaining range that is 
mutually advantageous to war.7 Using this as a key framework for the remainder of the 
research, the thesis uses a common set of criteria to characterize the effectiveness of 
conventional, nuclear, and RMA-enhanced tools of interaction in affecting the bargaining 
process. Cyber-weapons are briefly examined using this framework before applying it in 
depth through the case studies. The case studies examine the offensive cyber-attacks 
against Estonia in 2007 and Georgia in 2008 in order to determine the role that selected 
factors had in influencing the attack’s level of effectiveness. Following the case studies, 
the thesis concludes with an exploratory examination of the increasing Chinese- 
sponsored cyber-attacks and then concluding remarks and policy recommendations that 
were induced from the case studies. The conclusion will also include further 
recommended research. Of particular note, my research indicates that state involvement 
generally has a limiting effect on a cyber-attack’s level of effectiveness due to the desire 
to retain plausible deniability. As the effectiveness of an attack increases, so too does the 
risk of attribution. This tradeoff between effectiveness and plausible deniability is an 
important relationship to note. Additionally, my research indicates that the use of cyber¬ 
weapons as a tool of diplomacy does not yet have the more predictable deterrent effects 
of conventional, nuclear, and RMA-weapons. As a result it is suggested that the state 
focus on enhancing security against becoming a victim of cyber-attacks. 


^ Waltz, Theory of International Politics, 113. 

^ James Fearon, “Rationalist Explanations for War,” International Organization 49, no. 3 (1995): 387. 
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II. FRAMEWORK 


A. BASIC ASSUMPTIONS OF INTERNATIONAL RELATIONS SYSTEM 

Providing structure and explanation to interaction between states is a complex 
process that evokes expansive theoretical arguments. Occasionally, there is such a 
significant external change that the body of theoretical work is drastically affected. 
Strategic bombing, nuclear weapons, and the technological Revolution in Military Affairs 
(RMA) are examples of changes in warfare capability that changed the coercive 
dynamics between adversaries. Many argued that theories that satisfactorily explained 
how states interact when armed with only conventional militaries became obsolete when 
nuclear weapons were developed and acquired. The dawn of the cyber-age has seen 
exponential increases in computing speed and capability that can be harnessed into cyber¬ 
weapons of unrealized destructiveness. In order to determine if this new technology will 
similarly change the system, this section examines the potential effect of cyber-weapons 
on classic deterrence. Subsequent case studies where cyber-weapons were used with 
varying success will help to identify factors that may alter the effectiveness of these 
weapons. 

Classic deterrence theory provides a framework to explain and understand how 
entities interact in order to provide insight into behavior, as well as a method by which to 
predict behavior. The international community contains states that operate in anarchy. It 
is anarchic because there is not the presence of a single hegemonic power or world 
government that has the power to dictate the behavior of all states.* Because there is no 
such higher authority, anarchy encourages states to help themselves, thru self-help, in 
pursuit of ensuring their survival.^ The patterns of interaction that result from this 
structure are important to examine in order to understand behavior. Fear of either 
unequally distributed gains or increased dependence on another state for survival are two 
factors that normally limit interstate cooperation because they both create an imbalance 


* Fearon, International Organization, 401. 

^ Waltz, Theory of International Politics, 111. 
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of power that weaker states fear will be further exploited. This encourages states to be 
self-reliant and behave in a way that protects anticipated encroachment on their survival. 
Dependence increases vulnerability and so vulnerability is countered by either limiting 
dependence or strengthening the ability to control the dependent relationships. 

The resultant structure of the international environment is one where states act in 
a manner that may run contrary to the long-term stability of the system. In describing this 
behavior and the underlying cause Waltz provides the example of a commodity shortage. 
During an impending commodity shortage it is best for the greater good of the system if 
all consumers limit their purchase and consumption in order to ensure that everybody 
gets an adequate share, However, the fear for survival causes consumers to purchase in 
bulk and hoard the commodity despite the fact that it is to the detriment of the whole. 
Anarchic structure of interstate relations causes much the same scenario. States act in a 
manner that pursues their survival even if it is not in the best interests of the system. The 
nuclear arms race of the Cold War is an example of this behavior. Although nuclear war 
was not in any state’s best interests, both the United States and Russia acquired weapons 
in order to maintain a balance of power and ensure their survival. 

The characteristics of competition set forth by Waltz and the neo-realist theorists 
are most useful in establishing the assumptions of state interaction because they provide a 
relatively simple explanation that can easily accommodate the insertion and evaluation of 
cyber-weapons as a tool. This theory states that relationships between interstate entities 
are characterized by struggle and limited accommodation under mutual suspicion. Self- 
seeking behavior to ensure survival is tempered by the realization that its pursuit provides 
a significant threat to another state. In order to prevent the other state from taking action 
to counter that behavior, states often accommodate and settle in order to reduce the level 
of tension. This decentralized behavior is constantly ebbing and flowing and causes a 
high degree of homogeneity among the states. 12 


10 Ibid. 

11 Ibid., 107. 

12 Ibid., 113. 


6 



In order to seek the accomplishment of their goals, states can either alter their 
internal or external balances. Shifting internal balance means altering forces such as 
economic or military strength in order to affect the state’s power, while external 
balancing indicates involvement in alliances as a way to affect the state’s power. Tools 
of interaction will be discussed in more detail later, but states in an anarchic framework 
use force to seek protection and advantage. The capability to use force serves as an 
underlying threat in all dealings with other states and generally limits extreme behavior. 
Without a higher government authority to which to appeal, states act in a manner that 
limits the threat to their survival. The use or anticipated use of force by a state is likely 
to be met with force in response either unilaterally or in conjunction with other states. 
Dissection of cyber-weapon use in several case studies will help determine its effect as a 
tool of force in classic deterrence and provide details on the trends of its usage. 

It is important to note the basic assumptions of neo-realism so that there is a 
commonly understood framework for understanding how and why states act. First, neo¬ 
realism assumes that the world is anarchic in that there is not a central authority that 
controls state behavior, but does not imply that their resultant behavior is chaotic. 
Secondly, it is assumed that all states possess some degree of offensive military 
capability that can be used to inflict pain on another state. Because a state can never 
positively be sure of another state’s intentions, it is necessary to factor the offensive 
military capability into decision-making as states must always assume that another state 
may resort to use of this capacity to affect behavior. That survival is the driving force for 
state behavior is the fourth assumption of neo-realism, while the fifth is that states 
develop a strategy that best ensures their survival. This rational development sometimes 
leads to miscalculations because all relevant information is not always known, 


13 Ibid, 116-128. 

14 Ibid. 

13 John Mearsheimer, “The False Promise of International Institutions,” International Security 19, no. 
3 (1994); 10. 
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B. A BASIC FORMAL MODEL FOR UNDERSTANDING CONFLICT 


Having defined the basic structure and characteristics of interstate anarchy allows 
for a more detailed examination of how states interact and under what conditions they 
would come into conflict. Using the Waltz as a baseline theory on anarchic interaction, 
Fearon examines traditional realist theory and argues that based on its assumptions its 
conclusions do not logically follow. Specifically, the expectation that benefits will be 
greater than costs, rational preventive war, and rational miscalculation due to either lack 
of information or a disagreement about relative power are not sufficient causes to explain 
why states come into conflict. With war being a costly and risky endeavor, Fearon uses a 
basic game theoretic model to demonstrate that there is always a bargaining range that is 
mutually advantageous to war.i^ 


A's value for war 


ir 


Bargaining range 
\ 


B's value for war 


ir 


A's value for outcome x 


B's value for outcome x 


ir 


0 p-C;, X P P+Cg 

B's favorite outcome 


1 

A's favorite outcome 


p = probability of winning 
X = proposed outcome 
CA = State A's utility for costs of war 
CB = State B's utility for costs of war 

Figure 1. The Bargaining Range 

The bargaining range (Figure 1) is a linear range with each actor’s desired end- 
state at opposing ends of the line. Between those two opposing points takes place a 
“dance” with each side essentially sizing the other up to determine their opponent’s 
capabilities (probability of winning) and resolve (utility of costs).With perfect and 

This assumes risk-neutral or risk-averse actors. 

Fearon, International Organization, 387. 

18 Ibid. 
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complete information the bargaining range is also clear which makes war more costly 
than a bargain. To demonstrate this theory using a candy bar: if two states go to war over 
a candy bar, and the cost of the war is 20 cents, then after the war the value of the candy 
bar is 80 cents. Because the candy bar is of less value, the subsequent division of the 
candy bar will also be of less value. Had the states decided to bargain rather than fight, 
then they could have divided up the full candy bar. Using the probability of winning 
(p) and the utility of the costs for war (Ca or Cb), Fearon demonstrates how states can 
settle upon a bargaining range. 20 Understanding this logic, Fearon argues it is a puzzle 
why states would ever fight. 21 

He posits that there are three answers to this puzzle of why states come into 
conflict. First, states may have private information and the incentive to misrepresent it 
during the bargaining process. 22 The second reason is that under certain conditions a 
state cannot successfully commit to a bargained outcome, while the third reason deals 
with the indivisibility of goods and consequent difficulty in bargaining. 23 Fearon 
contends that commitment problems and issue indivisibility are of secondary importance 
and that private information and the desire to misrepresent it is more commonly the 
reason that states come into conflict. It is important to understand the mechanics of this 
argument before examining cyber-weapon case studies in order to better understand the 
decision-maker’s potential goals and objectives in using such a tool. 

States inherently possess private information about their capabilities and resolve. 
Because war is more costly than a mutually-beneficial bargain, states benefit from 
communicating about intentions and capabilities in order to prevent miscommunication 
and subsequent miscalculation. There are, however, situations in which states purposely 
withhold or misrepresent private information. Although states want to avoid costly war, 

Leo Blanken, slideshow Fearon and the Puzzle of Conflict: Unitary Rational Actors Choosing War, 
obtained from https://cle.nps.edu/xsl-portal/site/3b74a4a9-2968^d06-8c54- 
cc0643ec9c61/page/1025a83a-f0ee-4015-8938-16d32223dbbl . 

20 E(u) = (100*.5) + (0*.5)—20 = 30 

21 Fearon, International Organization, 383. 

22 Ibid., 391. 

23 Ibid., 401. 
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they also want to get a good deal out of bargaining. This can lead to intentional 
exaggeration of one’s technological capability or willingness to fight in order to affect the 
adversary’s decision calculus regarding his probability or cost associated with winning. If 
a state can falsely and successfully bolster their probability of winning in their 
opponent’s eyes, then they have affected the bargaining range to their benefit. Their 
adversary, thinking his probability of winning is now reduced is likely to accept a less 
advantageous bargain than had information been accurately represented. Similarly, a state 
may wish to misrepresent private information regarding their true resolve towards an 
issue or a known weakness in order to protect a more beneficial bargaining range.^^ 
States often revert to costly signaling to augment the believability of their 
misrepresentation with a force-related maneuver such as weapons production, troop 
mobilization, support to foreign troops, or engagement in alliances or treaties.25 States 
implementing this strategy must be aware that their actions could induce the enemy to 
reject the new bargaining range and opt for war, as intentional misrepresentation often 
increases the possibility of miscalculation. This possibility may affect the state’s ability 
to implement this strategy as it is necessary to base the costly statements on what a state 
is realistically willing to do. 

It is important to note that private information and the incentive to misrepresent it 
come into play in two other rationalist scenarios for conflict. Conflict may be used to 
prevent potential or actual adversaries from making inferences about a state’s private 
information. For example, American intervention in Vietnam was arguably intended to 
signal to the USSR that the United States placed great value on stopping the spread of 
Communism. Failure to intervene would likely have indicated to the USSR that they 
could freely expand their aggression without American exception.26 This tactic is also 
commonly employed by weak states that want to create the perception that they are 
stronger or harder to subjugate than may actually be the case. By engaging in conflict and 
appearing as a costly adversary, the state hopes to increase its bargaining ability in future 


24 Ibid., 396. 

25 Ibid. 

26 Ibid., 400. 
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negotiations.Conflict can also offer an opportunity for a state to demonstrate private 
information about its military capability with the intent to create an impression in the 
minds of adversaries. States of increasing power may force conflict in order to 
demonstrate their power on the world stage. Similarly states in perceived decline may 
view conflict as a means of demonstrating their resiliency and continued strength.28 

C. MODES OF INTERACTION 

The tools of interaction highlight the typical escalation process of a conflict from 
peace to war. Ideally, states interact to find solutions through diplomacy. Should 
diplomacy fail, then the interaction escalates to one in which force is threatened to 
influence an adversary to behave as dictated. The actual use of force is the final stage in 
this interaction if the threat of force does not alter the adversary’s behavior. It is 
important to highlight some of the characteristics of each stage before examining the case 
studies in order to understand how cyber-weapons as a tool of deterrence affect the 
“dance” in the normal escalatory stages of a conflict. 

I. Diplomacy 

With a baseline understanding of the characteristics of an anarchic international 
relations environment, how states interact, and the conditions under which states come 
into conflict, it is possible to examine the tools that states commonly use in their 
interaction. Diplomacy is the method by which states can interact and settle differences 
without resorting to war. Each actor pursues its goals while always maintaining state 
survival as the primary objective. When goals conflict, states exchange demands and 
through a process of bargaining and communicating the states agree on a solution that is 
mutually advantageous when compared to post-conflict possibilities. Underlying all 
interaction and bargaining is the implication that force may be used by either actor in 
order to achieve their objectives. A mutual understanding of the adversary’s relative 
power helps to define the risks and costs of war and thereby establish a bargaining range 
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within which the states seek a solution.^9 Solutions within the bargaining range are not 
ideal for either party, but they pose less risk than the alternative of going to war.^o 
Although Fearon’s model demonstrated that settling on a bargain is less costly to both 
sides than going to war, the underlying implication of force makes it necessary to develop 
and prepare these tools of force should they become necessary. 

2. Force 

It is important to highlight that tools of force are essential in both the bargaining 
and conflict phase of state interaction. Their importance in conflict is obvious, but in the 
bargaining phase the capacity of the force directly affects the probability that a given 
state will prevail. The following discussion examines force as a threat and as a physical 
impetus to cause change. 

a. Threat of Force 

Deterrence and coercion are the two primary means by which the threat of 
force is employed. State A seeks behavior from State B and threatens to use force to 
ensure the achievement of that behavior. In deterrence, the threat of force seeks to 
prevent a change to the status quo, whereas coercion uses threats to force a particular 
behavior. Several variables feed this interaction which is best understood using Fearon’s 
model of probabilistic rational behavior between anarchic states. 

The capabilities of State A’s threat affect the probability that State A will 
prevail. In an environment where adversaries understand the other’s intentions and 
power, the threat of force results in a set bargaining range within which negotiations take 
place. In determining the effectiveness of certain weapons in a deterrence framework, it 
is important to understand their effect on the probability of prevailing in conflict. 
Deterrence relies on a combination of the threat’s capacity and the state’s resolve to 
establish a bargaining range that prevents alteration to the status quo.^i This concept will 
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be examined in detail in subsequent sections. On the other hand, coercion explores how 
threats force an adversary to take action. In providing weight to the threat of force theory, 
Shelling explored the concept of diplomacy of violence in his book Arms and Influence 
and explained the coercive elements of violence. His research shed light on how violence 
could be threatened in order to force an opponent to perform a desired behavior 
regardless of intent or what level of violence was applied.^^ 

George furthered the concept in The Limits of Coercive Diplomacy in 
which he explained the tenets of coercive diplomacy theory and distinguished it from the 
more offensive use of coercion, or compellence, as advocated by Schelling. According to 
George’s model, coercive diplomacy was a strategy that sought to preserve the status quo 
by either halting an ongoing action or reversing action already taken. The theory provides 
flexibility in that it allows policy-makers to select the urgency, punishment, and 
incentives based upon the factors of a given scenario. 33 It is important to note that 
George’s theory was not limited to military force, but also allowed for diplomatic, 
economic, psychological, and other forms of punishment.34 Additionally, this strategy 
has varying levels of enforcement so that the coercing state can best manage influence 
over their adversary. The leveraged punishment in this theory, whether threatened or 
actually employed, was exemplary in that it did not strive to bludgeon an opponent into 
submission, but rather serve as an impetus to make changes.35 Ideally, the adversary 
responds positively to the threats to which they have been subjected so that escalation is 
not necessary. 


b. Use of Force 

Outside its use as a threat, force can be either offensive or defensive. 
Defensively, force can respond to and affect the damage imposed by an adversary’s use 
of force. Specifically force can repel an attack or serve as a first-strike capability in 
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response to an anticipated attack. 36 Should the threat of punishment fail, states in an 
anarchic environment may resort to the offensive use of force to settle their differences. 
As previously discussed, because rational actors understand that conflict is inherently 
more costly than settling on a bargain, this scenario is the result of very limited rational 
factors. The use of force indicates a failure of doctrinal deterrence, but coercive 
diplomacy allows the use of force as part of the interaction between states. In this 
scenario force is incrementally and sparingly employed as an indication of two things: 
that the adversary has the opportunity to revert to the status quo, and that failure to do so 
will incur the application of more force.37 Offensive force can also compel an adversary 
to take a desired course of action away from the status quo, but this research focuses on 
the rational application of force to preserve or reestablish the status quo. 

D. TOOLS OF INTERACTION 

Deterrence theory has long attempted to explain how states use threats to prevent 
an adversarial state from taking specific undesired behavior. The deterring state must 
have the power and capability to exert the required influence, the threat expressed must 
be credible, and this threat must be communicated to the adversary.38 in terms of 
Fearon’s model, it seeks to alter the cost equation in a way that makes the cost of conflict 
unacceptable to an adversary. The adversary’s decision calculus to stop the menacing 
behavior is affected by how they perceive the credibility of the force, the deterrer’s 
willingness to employ it, and how effectively the effects can be avoided.39 If the 
adversary associates little cost to the threat, or can easily mitigate the costs, then the 
deterrent has little effect and the strategy is likely to fail. The concept and theory of 
deterrence is historically woven throughout conflicts, but the theory attracted real 
attention and refinement with the introduction of nuclear weapons and the ability to 
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inflict tremendous death and destruction upon an adversary. Although it plays a 
prominent role, it is important to highlight that deterrence theory contains more than 
nuclear deterrence. 

In order to measure the effectiveness of different tools of deterrence, it is 
necessary to examine them using a common set of criteria. By applying a similar 
framework it is possible to reduce complex methods of deterrence into a set of attributes 
by which they can easily be compared and contrasted. This section briefly examines 
conventional, nuclear. Revolution in Military Affairs, and cyber-deterrence in terms of 
the following questions: 

• What is the potential level of destructiveness? 

• Are the effects controllable? 

• What level of control does the state have in initiating the use of the 
weapon? 

• Does use of the weapon allow for plausible deniability? 

• Can the weapon be used covertly? 

• Is the weapon operational or strategic? (i.e.—can it directly hit a target or 
does it have to fight through the enemy?) 

• Is it contestable? 

• Is it likely to evoke an asymmetric response? 

• Is it costly to develop or use? 

This initial examination of the deterrent attributes of cyber-weapons is far from 
conclusive. Application of the attribute framework to several case studies allows for the 
induction of initial conclusions regarding how cyber-weapons affect the classic 
deterrence “dance” between actors in a conflict. 

1. Conventional 

Conventional deterrence is the management of traditional tools of force such as 
ground forces, air forces, and navies to prevent or reverse an undesirable behavior. The 
gamut of conventional means runs from minimal application of force to high-intensity 
full scale combat depending upon the capability and level of threat that the deterring state 
wishes to convey. The potential level of destructiveness spans from minimal. 
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demonstrated by one soldier firing his weapon in response to an adversary’s provocative 
behavior, to extraordinary, demonstrated by the Allied forces invasion of Europe in 1944. 
Deterrence through means of conventional weapons has great potential for collateral 
damage, but the amount of collateral damage is generally proportional to the intended 
level of destructiveness. For example, one infantry company is likely to cause less 
collateral damage than a carpet bombing operation. 

The state is able to exercise strict and exacting control over conventional means 
of deterrence because these tools are normally arms of the state’s power establishment. 
For the scope of this examination, tools of conventional deterrence are assumed to be 
under state control. This relationship consequently makes plausible deniability by the 
state almost impossible. In terms of the ability to covertly employ this means of 
deterrence, conventional deterrence is second only in difficulty to nuclear deterrence. 
Although small-scale conventional deterrence can be executed covertly, smaller 
conventional tools are also less effective in their ability to deter. Farge and significant 
demonstrations of conventional weapons are necessary in order to have a deterrent effect, 
but this also decreases the ability to covertly employ them. With respect to the level of 
employment, conventional deterrence weapons can be either operational or strategic. The 
strategic bombing campaigns of World War II provide examples of how the capabilities 
of conventional forces could be used directly against strategic centers of gravity, while 
the large-scale ground invasion forces of Desert Storm highlight deterrent capability at an 
operational level. The use of conventional deterrence is highly contestable in the sense 
that an adversary state may believe it possesses an effective counter or defense to the 
deterrent threat.^o This gray area can complicate the efforts of the deterring state. Finally, 
with respect to cost, conventional means of deterrence are expensive due to the quantity 
of troops and equipment necessary to increase effectiveness, as well as the number of 
casualties that a state must be willing to accept. This is largely due to the fact that greater 
deterrence comes from a more significant threat which equates to a large number of 
forces and weapons. Additionally, in order to reduce the contestability of conventional 
deterrence, states must seek to demonstrate an overwhelming advantage. Significant 
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buildup and preparation are normally essential in order to eonvinee the adversary that 
their behavior is creating a legitimate threat response 

2. Nuclear 

The physical and psychological destructive power contained by nuclear weapons 
was unparalleled by any weapon in history, and as such it had a profound effect on 
deterrence doctrine. Although modifications can be made to the size of the nuclear 
weapon, the destructive capability remains intense. The destructiveness introduced a 
weakness because the stigma of nuclear weapons was so powerful that it had limited 
effectiveness to control anything short of total war. While it was effective in preventing 
total war during the Cold War, nuclear-armed states took smaller actions that could not 
rationally or proportionally exact a nuclear response. Additionally, the effects of nuclear 
weapons were controllable only to the degree that a state could select the target area. 
Once detonated anything within a given radius was equally subjected to the destructive 
powers of this weapon. 

Although the break-up of the Soviet Union and subsequent expansion of the 
nuclear black market made nuclear weapons available to non-state actors, the 
preponderance of nuclear material remains under state control.^^ The ability to use 
nuclear weapons within these states typically resides in a very small group of people and 
the state thereby has significant control over tools of nuclear deterrence. With the 
exception of relatively small amounts of nuclear material that may have fallen into the 
hands of non-state actors, state control makes plausible deniability very difficult.43 
Furthermore, the telltale signs of nuclear detonation make covert use of this weapon 
nearly impossible. Although nuclear weapons can be used tactically, the greater deterrent 
effect is gained by large-scale threats directly against strategic centers of gravity such as 
population centers. 
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Perhaps the most significant aspect of nuclear deterrence theory was that the 
effect of nuclear weapons was uncontestable. This attribute is the foundation of nuclear 
deterrence and once the USSR and the United States secured second-strike capability it 
had a mutually deterrent effect that resulted in four decades of peace. Although those four 
decades were the equivalent of a hostile chess match, there was nevertheless peace. The 
threat of asymmetric response was not historically a concern of nuclear deterrence 
because a nuclear strike was considered to be the worst type of attack. A far greater 
concern was the level of nuclear retaliation. In terms of cost, the greatest cost of nuclear 
weapon deterrence arguably comes from strong public opposition to their use. The first, 
second, and third order effects of this weapon make the cost of its use in a first-strike 
scenario almost prohibitive. 

3. RMA 

The RMA is the use of rapidly changing technology to enhance war-fighting 
means and methods. The specific and accurate employment of force increases the 
flexibility of deterrence by allowing for a range of policies and techniques that can be 
used against an adversary. Nuclear deterrence during the Cold War prevented large scale 
nuclear war, but was ineffective against lesser conflict. The precision of RMA enables it 
to efficiently cover the gaps that conventional and nuclear deterrence could not. By 
enhancing the capabilities of the tools of nuclear and conventional deterrence, RMA 
altered existing cost equations and thereby had a profound effect on deterrence. Just as 
conventional deterrence spans the gamut of destructibility based upon desired effects, so 
too does RMA-enhanced deterrence. The precision of these weapons allows both the 
destructiveness and the effects to be closely controlled with collateral damage minimized. 

State control is not vastly different from conventional and nuclear weapons 
because RMA is applied to those same weapons. Similarly, the ability to plausibly deny 
or covertly employ these weapons is not greatly affected with RMA advances. With the 
exception of small-scale covert operations such as assassinations, RMA-enhanced 
deterrence still relies on the capacity to inflict destruction to be effective. Destruction 
caused by weapons that are traditionally state-controlled is difficult to deny or hide. 
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RMA increased the strategic capability of conventional means of deterrence by 
making it possible and relatively easy to execute pinpoint destruction from great standoff 
ranges. In affecting the decision-making cycle of an adversary state it is possible to target 
specific capabilities or even decision-makers, rather than engage in massive conventional 
battles that attrite the enemy’s military force in order to affect its decision-making 
apparatus. While the RMA also increased the precision of nuclear weapons, it did nothing 
to reduce the associated costs of using these weapons and therefore had little effect on its 
strategic value.44 As contestability was an issue with conventional rather than nuclear 
deterrence, it remains an issue with RMA deterrence.45 The deterring state must execute 
the dance in such a manner as to convince the adversary that its technological advantage 
is beyond contestability. In terms of evoking an asymmetric response, the RMA did not 
greatly alter the threat of either conventional or nuclear deterrence to cause this. Because 
the effects are so precise, the deterring entity faces a lower cost threshold for involvement 
due to the limited collateral damage of a precisely employed RMA force.46 The RMA 
not only reduces adverse public reaction but provides decision-makers with a flexible 
range of options by which they can effectively increase their resolve on an issue without 
risking the commitment of large forces or mutually assured destruction. Increased and 
believable resolve bolsters the deterring state’s credibility.47 While these are marked 
advantages of the RMA, this ease of use can also foster overreliance on these weapons or 
even affect the cost equation in a manner that could increase the likelihood of war. 

4. Cyber 

The RMA touches on some of the technological advantages that cyber-weapons 
produce, namely the precision targeting ability, but the field needs a more thorough 
examination in order to determine the specific impacts, advantages, disadvantages, and 
considerations that this burgeoning tool has on deterrence. The potential level of 
destructiveness of cyber weapons has the largest variance among the types of deterrence. 
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Some documented instances of cyber weapon use include nothing more than offensive 
alteration of adversary websites, while the other end of the spectrum has the potential for 
great destruction. Although the most extreme actual use of cyber weapons includes 
physical destruction of equipment, it is possible for this weapon to be harnessed in such a 
way as to create the loss of life.^^ The effects of cyber weapons also vary widely. 
Because developments in computer science are a large part of the RMA, certain cyber 
weapons can be very precise in their targeting and almost eliminate collateral damage. 
However, many of the more commonly used cyber weapons work by spreading like a 
contagious illness, which obviously makes controlling the collateral damage nearly 
impossible. Additionally, when targeting networks or control systems it is also very 
difficult to predict the second and third order effects of an attack. 

Two of the more compelling reasons to examine the deterrent effects of cyber 
weapons are that they are used by actors in addition to the state and they also provide the 
user with plausible deniability. In fact, a preponderance of recent acts involving cyber 
weapons contains significant attribution problems. When this is combined with the 
capacity to be surgically employed, its capacity for covert employment becomes clear. 
Cyber weapons can be used either operationally or strategically depending upon the 
desired effects, although there is a much higher threshold of expertise necessary to utilize 
this weapon in a strategic manner. Contestability is an interesting aspect of cyber war 
because the specific capabilities of weapons that an actor possesses are closely guarded 
secrets. As such, it is very likely that an adversary forms a potentially uneducated opinion 
as to the effectiveness of their defenses.^^ Because cyber weapons possess the ability to 
inflict significant damage and many states lack the ability to respond in kind, the 
potential to evoke asymmetric response is a very legitimate threat. In terms of cost, cyber 
weapons have similar considerations as do RMA-enhanced weapons. While there is a 
lower threshold for use because of the precise effects and potential for limited collateral 
damage, there is an increased potential for misuse. One curious aspect of the cost relates 
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to public opinion as cyber weapons seem to evoke less adverse publie opinion that may 
be surmised. This eould perhaps be due to the problems of attribution. Some additional 
issues that need further development inelude the effeetiveness of this weapon aeross the 
speetrum of eonfliet, how to measure the effeetiveness its use, and a myriad of legal 
eoncerns. 
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III. CASE STUDIES 


A. OVERVIEW AND METHODOLOGY 

The objective of these case studies is to examine the effectiveness of offensively- 
used cyber-weapons in order to form some propositions regarding their potential 
contribution to classic conception of deterrence. Significant research exists about 
conventional, nuclear, RMA, and defensive cyber deterrence, but the resources are less 
abundant in looking at how offensively-employed cyber-weapons affect the diplomatic, 
including coercive, interaction between states in a conflictual relationship. The case 
studies developed in this research will not provide finality to this question, but rather 
intend to induce some conclusions that will further the body of research. It is important to 
research this because the use of cyber weapons is becoming more prevalent and has the 
capability to inflict tremendous damage. When potentially revolutionary tools of 
diplomacy, such as nuclear weapons, were introduced in the past it was critical to 
evaluate exactly how they would affect the relationship between actors, and so it is 
important to now examine how offensively-employed cyber weapons might affect 
interstate dynamics.Additionally, insight gained will help to develop policies to 
harness and exploit the power of offensive cyber weapons, as well as defend against their 
use by adversaries. 

The case study methodology used will be inductive in that lessons will be drawn 
from empirical examples after looking at the relationship between potential causal factors 
and the resulting depth and breadth of the attack.52 Two conflicts have been selected 
where cyber weapons were employed as an offensive tool of diplomacy with the intent of 
subversion of a state’s ability to govern.53 Because this weapon allows for a wide variety 
of effects, cases were selected where the intent of the aggressor states were similar. This 
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is meant to help isolate and attribute the role that the proposed drivers of effectiveness 
actually had on the attack’s level of impact. As an example, although both are cyber¬ 
attacks, commercial website defacement and digital destruction of a nuclear reactor 
control system have vastly different intents which make it difficult to determine the role 
of causal factors. 

The case studies seek to determine how a host of proposed causal factors might 
influence the effectiveness of offensive cyber-attacks executed under similar intent.54 
Effectiveness of the attack is the dependent variable of this study and is defined as the 
level of impact the attack had on disrupting the society and undermining the 
government’s ability to continue successful governance. The measure of effectiveness 
will be described by evaluating the breadth and depth of each attack. The breadth of the 
attack describes the proportion of the target group that was attacked. For example, if an 
attack aimed to cause denial of service for the entire governmental digital infrastructure, 
but only affected a small portion of the judicial system, then the breadth of the attack is 
very minimal. Meanwhile, depth assesses the severity of the attack on the successfully 
targeted group. For instance, even though only a small portion of the judicial system was 
successfully targeted in the previous example, the effect of that attack will determine the 
depth. If the judicial system’s connectivity was unavailable for thirty minutes, then the 
depth of that attack is shallow, whereas if the judicial system saw all of its data and 
records destroyed beyond repair, in addition to physical damage to the IT infrastructure, 
then that obviously demonstrates a much deeper attack. 

It is important to mention that it can be difficult to neatly categorize offensive 
cyber-attacks because there are many unknown variables that determine the breadth and 
depth of the attack. Much of the data regarding empirical examples remains highly 
guarded because its release could incriminate responsible parties or provide critical 
access to weapons development and implementation to an adversary. Some attacks may 
have a narrow breadth and shallow depth due to the relative inexperience of the 
aggressing force, while it could also be attributed to the aggressor’s desire to retain 
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plausible deniability or merely serve as a nuisance to the targeted state. Wide breadth and 
shallow depth could also be attack characteristics of a state with these same intentions, or 
of a large but uncoordinated botnet army.55 On the other hand, a narrow but deep attack 
could be executed by a government looking to cripple a specific target, or a small but 
coordinated effort on the part of a group of hackers. Attacks that are both wide and deep 
require not only significant assets in terms of either numbers or technologic 
sophistication, but also a large coordination effort. The state is arguably the only entity 
that could muster this level of effort, but to do so could jeopardize their ability to remain 
anonymous. There is not any empirical evidence of an attack that maximized the breadth 
and depth of their effects. So, while unknown factors may complicate attempts to 
understand precisely why a cyber-attack had a particular combination of depth and 
breadth, the case studies selected seek to highlight some trends between the proposed 
causal factors and the resultant level of impact. 

Figure 2 is a tool that describes the combined characteristics of offensive cyber¬ 
attacks along the ranges of depth and breadth. This tool is important because it helps 
establish a common framework that that can be used with different case studies to help 
understand the range of an attack’s level of impact.56 
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Wide 


Breadth 


Narrow 


- Expansive list of targets 

- Effects limited to non-destructive 
aggravation of digital infrastructure 

- Limited collateral damage 

- Expansive list of targets; likely all of critical 
importance 

- Effects unlimited; could include physical 
destruction of property and loss of life 

- Unpredictable collateral damage 

- Limited variety of targets 

Likely a very selective target 

- Effects limited to non-destructive 

- Effects unlimited; could include physical 

aggravation of digital infrastructure 

destruction of property and loss of life 

- Limited collateral damage 

- Collateral damage likely, but predictable 

Shallow 

Deep 


Depth 

Figure 2. Categorization of Offensive Cyber-attacks 


In order to highlight how these characteristics might look, the following 
discussion provides a hypothetical walk through a scenario in each quadrant of the above 
chart.57 Potential causal factors will be excluded so that the range of the dependent 
variable (level of impact) is the only variance. The range of both breadth and depth is a 
continuum, so there is not a clear distinction when an attack crosses from one quadrant 
into the next.^^ The examples provided below attempt to demonstrate scenarios that are 
clearly within each quadrant. 

Beginning in the lower-left quadrant with an offensive cyber-attack that is 
shallow in breadth and narrow in depth, the characteristics are a limited variety of targets 
that are attacked to a level that does not cause long-term, sustained, or irreversible 
damage. The target could be a very specific individual or capability, such as the 
California Supreme Court, or it could include a broader sector such as electrical power 
control stations in the western United States. In this example, shallow depth could 
indicate that the websites of the California Supreme Court are defaced with pro- 
Communist rhetoric or are not accessible for a couple of hours. Although important, 
defacement or lack of availability of Court digital services is relatively insignificant to 
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the average citizen for a couple of hours. Shallow attacks on the western United States 
electrical power grid could also include temporary power outages. The effects of this 
attack are also relatively minor, although there is an increased potential for loss of life 
which arguably makes this a less shallow attack than the California Supreme Court 
example. Although roused, citizen concern is at a low-level because of the limited scope 
and destruction associated with an attack in this quadrant. Because the attack is selective 
in its targeting and limited in the destructive capacity, the collateral damage is likely to be 
predictable and controlled. 

The upper-left quadrant is wide in breadth but shallow in depth. The scope and 
variety of targets is much vaster and could include several different sectors, while the 
effects of the offensive cyber-attack are similar to the previous example. An example of 
the breadth of such an attack could include the simultaneous targeting of the digital 
infrastructure of the federal government, air traffic services, financial institutions, defense 
warning systems, and power stations. Because the attack is still narrow in depth, the 
effects are relatively limited in comparison with what could possibly result. This could 
include a temporary or intermittent denial of service. This attack has a significant impact 
on the average citizen because the scope of targets spans a major portion of services on 
which they rely. Normal daily life, for the duration of the attack, would not be possible. A 
state of panic would certainly ensue tempered only by the fact that the impact is narrow 
in depth. Government attempts to restore critical services are successful and there is 
limited data or physical destruction. The likelihood of collateral damage increases with 
the breadth of the attack because the second and third order effects of such a vast attack 
cannot be reasonably be predicted. 

An attack in the lower-right quadrant is narrow but deep. The scope of the targets 
is very selective and narrow, but the damage done begins at significant and moves 
towards unlimited. Some examples of this are an attack on the air traffic control services 
that destroy the database of airborne flights, disable air to ground communication, alter 
data provided by navigation beacons, and turn off runway and beacon lighting. A 
particular bank could also be the target where the cyber-attack alters the account 
information, including balances, of the bank’s customers. Back-up servers, databases, and 
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records would also be altered or deleted so that the bank could not easily rectify the 
damage done by the attack. These are very selective attacks on specific targets, but the 
intended level of destruction is substantial with significant loss of life and permanent 
elimination of financial savings only examples of the potential effects. Immediate 
attempts to defend against the attacks or counter the effects meet with very limited 
success. Similar to the effects of September 11th, such a spectacular attack will spur great 
concern among the citizens, but will be tempered by the fact that only a small percentage 
of the population was targeted. While the collateral damage of narrow attacks is generally 
low, the depth of the attack makes some side effects unpredictable. 

The upper-right quadrant shows the characteristics of the worst-case cyber-attack. 
This attack is both wide and deep. Attacks of this variety will be against numerous targets 
and seek maximum destruction or disruption. As in the example for the upper-left 
quadrant, the target could be the digital infrastructure of the entire federal government, 
air traffic services, financial institutions, defense warning systems, and electrical and 
nuclear power stations, but the effects are much worse. An attack of this magnitude 
would likely totally cripple the digital infrastructure, destroy critical data, or inject 
malicious data that cause systems to operate in a destructive manner. Supervisory control 
and data acquisition systems (SCADA) that control the functions of power, nuclear, 
sewer, and air defense systems (among others) could either be crippled or engineered to 
create massive nuclear and biological emergencies. Additionally, attacks could modify or 
erase accounting data at financial institutions, usurp all forms of digital communication, 
turn off pace-makers, render air defenses useless, and even gain control of a state’s 
sensitive satellites. Government attempts to counter or defend against an attack of this 
nature would be limited and piecemeal. Pandemonium would certainly ensue as the 
citizens realize their government cannot protect them. Within this range it is important to 
remember that the intent of these attacks is not to kill people, although that may be 
collateral damage, but rather to cause massive disruption to the people and the 
government’s ability to effectively govern. The target is strategic rather than tactical, 
although tactical disruption or destruction is highly probable. The target is the emotions 
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of the people, rather than a physical entity such as a uranium enrichment facility.^9 
Collateral damage is most unpredictable in this quadrant and not likely to be of concern 
to the aggressor. 

This research presents two case studies and examines three proposed causal 
factors in order to determine the role that they played in affecting the attack’s level of 
impact. The case studies are the 2007 attacks against Estonia and the2008 attacks against 
Georgia. There are several variables from which to choose, but the three that will 
hopefully allow for the most refinement and valuable insight are the level of attack 
sophistication, role of the alleged adversary government, and dependency of the target 
upon cyberspace technology. While there is variance in the dependent variable, the lack 
of empirical examples prevented a truly broad range of variance. There are two reasons 
for this. First, thankfully there has not yet been a cyber-attack that has been both wide 
and deep. Secondly, most cyber-related data are not disclosed by governments in fear that 
it will provide advantage to the adversary.Therefore, there are likely more cases of 
cyber-attack, but they are not publicly available. 

Measuring the effectiveness of an attack is a difficult and contentious field that is 
subject to innumerable qualitative and quantitative aspects depending upon the evaluator. 
While there is limited quantitative data for these case studies, it relates to very specific 
technical effects and fails to accurately represent the aggregate effect of the attacks. It is 
therefore necessary to focus mainly on the qualitative data to develop an accurate picture 
of the level of impact each attack had. Most of this data comes from post-incident reports 
performed by government agencies, non-government organizations, and media. Each case 
study presents a brief introduction followed by an examination of the independent 
variables, which are the proposed drivers of effectiveness, a discussion of the cyber¬ 
attack’s level of impact, and a conclusion. 
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B. 


CASE STUDY 1: ESTONIA 


1. Overview 

Estonia is one of the most digitally developed nations in the world. For the past 
century the country has been subject to many masters as World War I, II and the Cold 
War ravaged Europe. When the Soviet Union fell in 1991, Estonia finally regained its 
independence and set a course for technological development. Many years ahead of the 
wireless boom, the country made an astute decision to replace landlines with wireless 
technology. Currently cell phone saturation is over 100 percent and the nation’s citizens 
are heavily reliant on digital technology to vote, bank, pay for parking, and a host of 
other activities. In fact, 80 percent of Estonians rely on the Internet to do their banking 
and vote.Although Estonia had gained its independence, approximately 30 percent of 
its population was Russian due to Russian emigration and ethnic resettling practices.62 
This population provided the Russian government with a powerful means of leverage 
within Estonia. Estonia moved forward and attempted to enhance their culture and 
security by joining NATO in 2004 and later making fluency in the Estonian language a 
requirement for citizenship, an obvious message to the significant ethnic Russian 
population.63 On 26 April 2007, the final anti-Russian action by Estonia was the move to 
transfer the Bronze Soldier, a statue of a Russian soldier erected in 1947, and 
accompanying remains of Soviet troops felled in taking Estonia in World War II from the 
capital of Tallinn to a more remote area. To Estonians the statue had become a symbol of 
oppression, while to Russians it was a rallying point.64 Jq both groups it became a very 
contentious site that the Estonian government decided to move. Although Estonian 
officials claimed it was to provide a more suitable resting place, many Russians believed 
it was assert their power and subjugate the ethnic Russians.65 
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The response to the statue’s removal was immediate, surprising, and difficult to 
attribute. Beginning 27 April 2007, Estonia became victim to a massive cyber-attack that 
lasted 22 days. The attack targeted financial, communications, and government 
infrastructure sites as well as the personal communication devices of government 
officials.66 The attacks were mainly distributed denial-of-service (DDOS), which 
essentially impair websites and lines of communication by introducing an overwhelming 
amount of traffic, but there were some more sophisticated SQL attacks intended to hack 
into selected systems.Of note, two of the nation’s largest banks were offline for over 
two hours and subsequently unavailable to anybody outside of Estonia for several days, 
as a mitigation effort was to shut down all interstate online access. Attacks on several 
government Internet service providers (ISP) servers allegedly interrupted government 
communications for a short amount of time. Propaganda attacks also targeted the 
Estonian Prime Minister’s website and placed a fake letter of apology to the Russian 
people with a promise to relocate the Bronze Soldier.68 There were reportedly over 
80,000 different IP addresses from which the attacks were launched and most of them 
were outside of Estonia.^^ Specific instructions for what and how to attack were in 
Russian on many common Russian blog sites and also contained very apparent political 
motivations.^0 

In addition to the cyber-attacks, pro-Russian riots erupted on the streets of Tallinn 
also beginning on 27 April. While ignoring the looting and destruction, Russian media 
called them “peaceful protestors.” Police action against the rioters agitated Russian 
government officials and even moved one official to state that it was a call for war.^i 
Government-backed members of Nashi, a Russian political youth movement, rioted at the 
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Estonian embassy in Moscow and prevented workers from entering or departing. The 
Estonian ambassador to Russia was also physically attacked on two different occasions 
while the rioting was taking place .^2 xhe Russian government itself stopped certain rail 
and commercial truck exports to Estonia under the guise of maintenance that needed to be 
performed and Estonian businesses suffered loss of revenue and contracts with prior 
Russian partners.^3 Additionally, in early May members of the Russian Duma travelled 
to Tallinn to call for the resignation of the Estonian govemment.^4 

Although Estonia was able to reinforce their digital defenses, the cyber-attacks 
reached a crescendo on 9 May and then began to taper.^5 xhis was a day of national 
significance in Russia as it marked their victory over Nazi Germany in 1945. Several 
investigations into the attacks failed to positively attribute the responsible organizations 
although circumstantial evidence, and the Estonian government, indicates that Russia 
played a major role.^^ Only one person was arrested in the aftermath for conducting 
attacks from within the country. Allegedly this student was arrested because his origin of 
attack inside Estonia facilitated sufficient collection of evidence.^^ The Estonian 
government made formal requests to Russia for help in investigating the attacks, but was 
repeatedly denied.^^ In the years following the attacks, Estonia identified its weaknesses 
and addressed them to better deal with similar attacks in the future. The cyber-attacks 
uncovered legal and technical issues with which advanced nations had not yet dealt, 
particularly if such an attack amounted to an armed attack and could thereby invoke 
Article 5 of the NATO treaty permitting an allied response. 
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2 . 


Proposed Causal Factors 


a. Sophistication 

Having discussed the background of the case study it is possible to 
examine some proposed causal factors that affected the level of impact of the cyber¬ 
attacks against Estonia. This analysis will help to determine the importance of certain 
causal factors in order to better understand the deterrent nature of offensive cyber-attacks. 
The sophistication of the attacks against Estonia is one variable that is worth examining. 
Although the scope of this attack was unparalleled in history, the specific tools used were 
relatively simplistic. DDOS was the predominant weapon of choice and was used against 
commercial banking and media as well as government websites.As previously 
discussed, DDOS overwhelm a network with meaningless traffic and requests to the point 
where the network can no longer process them.^i These attacks were simultaneously 
launched by hundreds to thousands of commandeered “zombie” computers. xhe 
combined effects of the attack made further service for network patrons impossible. 
These types of attacks do not destroy systems, manipulate data, and they are relatively 
easy to fix although it may require complete disconnection of the network from the 
world, as was necessary by Estonian banks. More advanced SQE injections intended to 
hack and possibly manipulate data were also used and had limited success, although their 
success was in part limited by the low number of SQE attacks attempted.^^ There are 
many potential reasons that the attacks against Estonia were of low-level sophistication. 
Particularly plausible reasons are that the Russian government knew that the chances of 
their attribution increased with sophistication, the intent of the attacks on Estonia was not 
to destroy digital infrastructure, or that the attacks were essentially a “live-fire” exercise 
to determine and demonstrate weapon capacity and evaluate international reaction. The 
relatively low level of technical sophistication limited the destructive effectiveness of 
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these attacks. Networks were overwhelmed, websites defaced, and routers were damaged, 
but that was the extent of the damage. what the attacks lacked in sophistication and 
destructive capacity however, was compensated for by a massive coordinated effort that 
made it possible to significantly affect almost all of the nation’s citizens. Due to rapid 
response by Estonian officials, particularly of the Computer Emergency Response Team 
(CERT) the adverse effects of commercial and government service denials were limited 
and reversible. What remains important though is that a majority of the citizens of 
Estonia, to include the government, were aggressively and successfully attacked for over 
three weeks. While appropriate Estonian response and subsequent mitigation efforts 
helped address weaknesses, it is logical to surmise that their failure to do so could easily 
have eroded public confidence and support for the government. 

b. State Dependency 

State dependency on technology is a proposed casual factor worth 
examining because the degree of technological variance throughout the world could have 
implications for the level of impact of an offensive cyber-attack against a given country. 
Although it does not capture all aspects of a state’s reliance on and employment of digital 
connectivity, the Internet’s penetration rate, or ratio of Internet users in a society, does 
provide a rough metric to gauge potential vulnerability. Estonia’s reliance upon 
technology provided a significant vulnerability to any potential adversary that desired to 
avoid more conventional tools of diplomacy. By 2007, the Estonian digital infrastructure 
encompassed the functions of the government, power grid operations, financial services, 
and the water supply and distribution system. Additionally, 97 percent of banking 
transactions occurred online while over 60 percent of the population relied on the Internet 
to conduct their normal banking functions. An IT director at the Estonian Defense 
Ministry explained that the Internet had pervaded their society to such a degree that their 
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normal bureaucratic processes were referred to as a “paperless government.In 
reference to their technological dependence Estonia has been jokingly referred to as “E- 
stonia.”*^ Estonia’s experience is a valuable case study because their technology infusion 
was ahead of its time and provides valuable, albeit painful, lessons for the majority of the 
developed nations that are following in its footprints. While cyberspace technology can 
provide many benefits in terms of efficiency, costs-savings, ease of use, and speed of 
information, it is imperative to also realize the vulnerabilities that are created. This is 
particularly true when the digital infrastructure is not designed to defend against low- 
level cyber-offensive weapons. Being the first victim of a large-scale cyber-attack, 
Estonia publicly demonstrated that the combination of Internet reliance and weak defense 
was dangerous. While their techno-savvy has been discussed, it is also important to 
highlight specific weaknesses that provided a vulnerable attack surface. Incorrectly 
configured webservers created a flaw by which the attackers could quickly overwhelm 
the websites, which was exacerbated by an infrastructure design that had numerous 
bottlenecks.89, 90 Because Estonia suffered from a shortage of adequately trained Internet 
security professionals, countering the onslaught and addressing the damage required an 
allied CERT effort from Einland, Germany, Israel, Slovenia, the EU, and NAT0.91 
While this considerable effort was largely due to the fact that an attack of this scale had 
never happened before, Estonia was nevertheless short-sighted their preparations. Had 
these issues been identified and addressed prior to the removal of the Bronze Statue, it is 
possible that the adversary’s decision calculus would have realized that an offensive 
cyber-attack was not an effective tool of diplomacy. 
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c. Government Involvement 

Although direct Russian involvement in the cyber-attacks was never 
positively proven, circumstantial evidence certainly seems to indicate that the nation 
played a major role. With the movement of a Russian monument as a triggering event, 
Russian involvement and cooperation appeared to escalate over the course of the attacks 
so much so that the President of Estonia publicly called for Russia to remain civilized.92 
Angry anti-Estonian rhetoric from the Russian media and senior state officials, to include 
President Putin and members of the Duma, certainly did not help assuage the attacks and 
likely fueled the fire.^^ Russian refusals to help Estonia investigate the attacks that 
originated in Russia, despite a signed treaty that called for such cooperation, are also 
evidence that Russia was trying to hide larger involvement.94 While NATO did not 
directly accuse Russia, one official did say “I won’t point fingers. But these things were 
not done by a few individuals. This clearly bore the hallmarks of something concerted.”95 

It is important to discuss the possibility of Russian involvement because 
attacks of this magnitude are unlikely without either direct or indirect support of a state 
sponsor. Their role in actually launching the attacks is too difficult to determine, but it is 
safe to say that Russia indirectly supported the attacks by repeatedly fueling a hostile 
situation in public, and possibly by proxy in chat rooms, and subsequently protecting 
attackers from investigation or punishment. A member of the Cooperative Cyber Defense 
Center of Excellence in Tallinn, which is a NATO organization created as a direct result 
of the attacks against Estonia, posited that the Russian government’s involvement may 
have been as the coordinator of a people’s war where the computer-savvy Russian 
citizens were manipulated by the government towards a common enemy.96 It is an 
appealing strategy for the government because the lack of direct evidence provides 
plausible deniability, but the effects are nonetheless massed on the target. The veil of 
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secrecy and protection provided by the Russian government is also an important factor in 
the lingering effects and ambiguity that resulted from the Estonian attacks. Only a state 
actor has the ability to stonewall international calls for an investigation. In terms of level 
of impact, the fact that there was a twenty-two day long cyber-attack and the attacker 
could not be confirmed or brought to justice certainly had an effect on the psychology 
and confidence of the Estonian government and citizens. It likely also sent a very clear 
message to states around the world that possessed burgeoning offensive cyber-weapons 
resources and were trying to think through the impacts of their employment. Not only 
was it possible to coordinate masses of “hacktivists” to execute cyber-attacks against a 
common target, but subsequent refusal to cooperate with investigations provided an 
additional layer of deniability. If there is no investigation, then culprits will not be 
identified. It is safe to say that had the Russian government handled the situation by 
purely diplomatic means rather than rabble-rousing and inciting the masses, then the 
cyber-attacks against Estonia would have been much less significant in both immediate 
and long-term effects. 

3. Value of Dependent Variable 
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Available evidence indicates that the level of impact of the offensive cyber¬ 
attacks on Estonia is in the upper-left quadrant (Figure 3). In terms of breadth, the target 
was very widespread as the government, banking, and media were victim to the attacks. 
Although these services were critical to the daily lives of the citizens, the attack did not 
target other vulnerabilities that could truly have crippled the nation such as the power, 
sewer, and air traffic control services. Had these additional targets also been attacked the 
breadth of the attacks would have been assessed to be near the maximum value.The 
attacks against Estonia remained shallow in depth because the predominance of attack 
techniques was DDOS and web defacement conducted by botnets or recruited 
“hacktivists.” Although there were occasional SQE injections that were much more 
sophisticated, the attacks only temporarily prevented citizens from accessing certain 
government and financial services while also subjecting them to digitally-delivered 
propaganda. There was no evidence of truly destructive software that caused physical 
damage, loss of data, or irreversible consequences. This absence limited the effective 
depth of the attack. 

4. Conclusion 

This case study provides several valuable points that shed light on the role 
between the proposed causal variables and the attack’s level of impact. In terms of the 
attack’s sophistication, this proposed causal factor limited the depth, but allowed for 
increased breadth. The intended depth of the attack may have been shallow in order for 
the aggressor to remain anonymous or perhaps a shallow attack achieved the intended 
effects. Regardless however, the sophistication of the attacks limited the level of impact 
specifically in terms of depth. While the occasional SQE injection did increase the depth 
value of this case study, the preponderance of DDOS and defacements were largely a 
result of unsophisticated techniques. While the relative unsophistication prevented a truly 
deep attack, it is also important to note that the Estonians’ lack of preparedness and 
adequate defenses against DDOS attacks did contribute to the depth that the attacks did 
reach. The Estonian government had to request CERT help from more defensively- 
prepared nations in order to counter the onslaught of the botnet attacks. Additionally, the 

depth of the attack was limited when the Estonian government essentially unplugged its 
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digital connection to the outside world, and although this action limited the effectiveness 
of the attack, it still caused massive disruption to the many customers of Estonian banks 
that were outside of the country. 

State dependency did play a factor in the level of impact, but it was mainly in 
terms of the breadth of the attack. Estonia’s well-documented digital integration created a 
vulnerability that was easily targeted. Because an overwhelming majority of the 
population used the Internet for financial transactions, communication and information 
sharing, and to access government services, to include voting, the attacking force had 
several targets from which to choose. Had the primary targets required a level of 
sophistication that the aggressing state was not willing to employ, the abundance of 
targets meant the attackers merely had to keep looking until they found adequate 
vulnerabilities. In a state with limited dependency, there are two issues that will limit the 
impact of the attack. Eirst, the number and variety of targets will be severely more 
restricted than in a digitally robust society. Secondly, because a minority of the citizens 
relies on digital services, an attack on a given sector will affect a much smaller 
percentage of the citizens than was the case in Estonia. 

Although state role remains unproven, evidence indicates that state involvement 
was necessary for this caliber of offensive cyber-attack. While the intent is not to uncover 
the aggressor’s identity, it is important to highlight the ability of a state-level entity to use 
national-level pulpits to incite public anger against a common enemy, employ chat-rooms 
and blogs to provide specific code and targets to attack, and then stonewall any 
international attempts to attribute responsibility. Without concrete evidence it is 
necessary to draw some conclusions based upon what can reasonably be assumed. The 
state’s involvement presumably included determining the breadth and depth of the attack 
before it began and subsequently monitoring the situation to make sure that it did not 
escape the designated boundaries. Because a shallow depth leaves a less traceable 
fingerprint on the attack, the state likely limited the sophistication of the attack to DDOS 
and defacement. In order to compensate for an unwillingness to launch a deeply 
destructive attack, the state increased the breadth by sponsoring a massive coordination 
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effort to mobilize a “haektivist” army. This eall to arms was eondueted on Russian blogs 
and ehat-rooms and provided speeifie targets and attaek eodes. The breadth inereased the 
effeetiveness of the attaek while providing the state with two advantages. First, the 
attaeks were not of sueh great breadth that would likely instigate international military 
response, so the state had the opportunity to monitor and test the international opinion to 
their actions without being in legitimate danger. The second advantage was that these 
broad and outsourced attacks gave the state the opportunity to test its command and 
control of such an operation and make improvements for use in future conflicts. 

C. CASE STUDY 2: GEORGIA 

1. Overview 

Georgia is a former member of the Soviet Socialist Republics, and as such, has 
experienced significant turbulence since its dissolution. The turmoil actually reaches 
much further into history as their governing entities changed frequently between the 
Russian czars, short-lived independence after the Bolshevik Revolution, the Soviet Union 
throughout the Cold War, and again to independence following the Soviet Union’s 
collapse in 1991. Georgia’s post-independence borders include South Ossetia, which is a 
region that contains people ethnically and linguistically different from Georgia.^^ The 
region of North Ossetia is within the borders of the Russian Federation although its 
inhabitants are ethnically the same as the South Ossetians. Violent turmoil has been the 
state of the relationship between South Ossetia and the Georgian government since 1990 
with various attempts by a Russian-backed South Ossetia to gain autonomy and several 
violent suppressions by the Georgian government. The situation continued to escalate 
after the 2003 election of Georgian president Mikheil Saakashvili who executed an 
agenda that saw significant military buildup, application to NATO, and increased 
aggression to quell the uprisings in the breakaway regions of South Ossetia and 
Abkhazia.98 Russian opposition to all of Saakashvili’s actions bolstered the rising 
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tension between the two states and emboldened anti-Georgian resistance by South 
Ossetia. Citing alleged ceasefire violations by South Ossetia, Georgia moved their 
military forces into the rebellious region on 7 August 2008 which sparked Russian 
military mobilization into South Ossetia where they launched air strikes against selected 
targets in Georgia.^^ What immediately preceded, and then continued throughout the 
Russian military action, but was never attributed to Russia, was an offensive cyber-attack 
against select portions of the Georgian digital infrastructure intended to confuse a 
coordinated military response, undermine the effectiveness of the Georgian government 
in dealing with such an attack, affect exported information about the war, and exacerbate 
the confusion of the Georgian citizens, in an effort to influence how the international 
audience viewed the Russian actions, not only did hackers attack the BBC and CNN to 
prevent portrayal of the attack, but also massed efforts on some prominent online polls, 
such as CNN, to make it look like Russia was not the aggressor.loi These rigged polls 
then further encouraged commentators to spin the situation in Russia’s favor. 
Additionally, some of the cyber-attacks specifically attempted to incite and demoralize 
the Georgian people by defacing numerous websites with pictures comparing Mikheil 
Saakashvili to Adolf Hitler. 

Initial cyber-attacks targeted designated government and media services in order 
to prevent effective communication of the Russian invasion. As the Russian military 
movement into South Ossetia continued, the cyber-attacks were expanded to include 
additional government sites, financial institutions, media outlets, businesses, educational 
institutions, as well as known Georgian hacking forums in an effort to limit a cyber- 
counter-response. Russian hackers also allegedly attacked servers in countries, such as 
Turkey and Ukraine that provided critical communication services to Georgia so as to 
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further disrupt communication, The kinds of cyber-attacks that accompanied the 
Russian military intrusion were not particularly sophisticated and were mainly either 
DDOS attacks or web-defacements. Attacks intended to cause physical damage were not 
perpetrated by the hackers although these targets were certainly vulnerable. Although 
cyber-attacks continued for several weeks afterwards, the majority in both numbers and 
effectiveness took place during the same five day window of the Russian military actions 
between 8 and 12 August 2008 when a ceasefire agreement was signed. Specific 
attribution was never established although evidence indicates a wide variety of Russian 
entities were possibly involved in the attacks to include the Russian military, powerful 
business networks, Russian organized crime, intelligence agencies, and patriotic Russian 

hackers. 106 

The Georgian response specific to the cyber-attacks was guided by inadequate 
defense and preparation. Fortunately for Georgia, Estonia had recently suffered a very 
similar attack and was able to provide assistance in limiting the amount of damage done 
and addressing additional vulnerabilities. Initial and rudimentary tactics such as blocking 
IP addresses of Russian origin worked for only a short-time as the attackers easily 
rerouted their attacks. In a fortunate and innovative turn for the Georgian government, 
executives from several large web server companies such as Google and Tulip allowed 
critical government functions to be transferred to their servers in the United States. 
Although this action did help to alleviate the direct attacks on Georgian systems, it did 
redirect a significant volume of attacks against servers in the United States and 
consequently spark academic debates about private companies and their role in cyber- 
conflict. Georgian nationalist hackers did rally in support of their nation and attempt 
DDOS counter-attacks against news media and other select targets, but their efforts were 
largely ineffective and unnoticed in comparison to the volume of Russian-based cyber¬ 
attacks. 
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2. Proposed Causal Factors 

a. Sophistication 

The sophistication of the attacks against Georgia was relatively 
unremarkable with DDOS and web defacement being the primary tools of cyber-attack. 
While these tools are both relatively simple in concept and execution, the method of their 
employment indicated a much higher sophistication. As previously discussed, DDOS 
attacks overwhelm the capacity of a network or computer to accept and reply to all of the 
requests thereby causing it to crash and be unable to provide further service. These 
attacks are generally executed by large numbers of networked computers, sometimes 
unknown to the owners, under the command and control of a “bot master” that remotely 
coordinates them to conduct massed attacks. Evidence from the Georgian attacks 
indicates DDOS software had been developed and implemented specifically for use 
against the Georgian networks. Some of the denial-of-service attacks were carried out by 
software normally intended to evaluate the stress potential of a network, while even more 
advanced software targeted websites and requested non-existent web pages. The targeted 
websites then endlessly looked for nonexistent web pages which quickly incapacitated 
server capability.Although the weapons of choice were DDOS and web defacements, 
certain more advanced attacks used SQL injection, which allowed much more 
experienced hackers to accomplish DDOS-like effects without the number of networked 
zombie computers. These techniques permitted the attacking force to mount their attacks 
with less zombie computers while still creating enormous amounts of traffic. While much 
of the specific attack data is not publicly available or attainable, an analysis firm called 
Arbor Networks released some statistics that demonstrate the nature of some of the more 
significant denial-of-service attacks. Their data reveals that the attacks averaged an 
intensity of 211.66 Mbps with a peak of 814.33 Mbps with an average duration of 2 hours 
and 15 minutes and a 6 hour maximum duration. 1^9 xhis level of traffic can be handled 
by appropriate hardware, but thanks to the stress test software used by the Russian 
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attackers, they were able to determine exactly the level of traffic necessary to incapacitate 
the Georgian infrastructure. It was also fortuitous that the Georgian commercial and 
government digital infrastructure was completely unprepared to defend against an attack 
of this scale. 

Although the attack tools were used in a more sophisticated manner than 
in previous cyber conflicts, such as Estonia, they were still relatively basic compared to 
the arsenal of cyber-weapons that could have potentially been used. But because denial of 
service and defacement were the intended effects, these tools were the logical weapons of 
choice. In order to increase the level of traffic levied against Georgian servers and 
websites, Russian hacking and blogging forums were employed to recruit a “hacktivist” 
army. These websites posted the scripts, tools, and instructions necessary for their 
execution, but also provided a list of 36 different websites against which the recruited 
hackers should launch their attacks. 

An important point to take away from the Georgian cyber-attacks is that 
unsophisticated tools were sufficient to accomplish the intended effect of preventing 
government coordination and to a limited degree demoralizing the population. There 
were stronger cyber-tools available that could have caused significant physical damage 
and much more debilitating effects to the digital infrastructure, but the aggressor force 
likely imposed self-restraint so as not to induce strong international opposition and 
investigation. By massing the unsophisticated, but debilitating effects using recruited 
hackers and altered software, the aggressor force was able to shut down key government 
and business online ability while retaining their veil of secrecy. 

b. State Dependency 

There are many commonalities between the offensive cyber-attacks 
launched against both Estonia and Georgia, but state dependency on and the integration 
of a robust digital infrastructure are vastly different between the two states. 2007 
statistics indicate that there were approximately 8.3 Internet users per 100 people, which 
puts Georgia roughly in the same ballpark as nations such as Haiti and Tanzania. By 

^ Tikk et ak, Cyber Attacks Against Georgia, 10. 
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contrast, Estonia and the United States had 66.2 and 75.3, respectively.^ Most of the 
Internet use is among business and government professionals as it has not permeated into 
the regular daily life of the citizenry as it had in many more technologically advanced 
nations. In terms of Georgia’s dependence upon other nations for connectivity, post- 
conflict investigations indicate that a majority of the nation’s over-land Internet 
connections go through Russia while most of the Internet traffic is routed through Turkey 
(and then Russia) before being sent to its final destination. Georgia was working to 
decrease their dependence upon traditionally adversarial states by routing fiber optic 
cable through the Black Sea and into Bulgaria, but that project had not yet been 
completed before they were victim to the 2008 cyber-attacks.^^^ An additional aspect of 
dependence was that 90 percent of the Georgia’s commercial services were controlled by 
Caucasus Network Tbilisi, a company whose infrastructure was in the middle of the 
conventional military action and thereby suffered debilitating damage. 

The average citizen’s lack of dependency on Internet connectivity vastly 
decreased the attack surface vulnerable to attack which thereby limited the effectiveness 
of the attack. Because most citizens did not conduct online business transactions, obtain 
their news from the Internet, or use online government services their daily life was not 
vastly different than had there not been an offensive cyber-attack. This was not true of the 
government and business sectors in Georgia where a majority of the connectivity resided. 
Because the attacks were successful in denial-of-services on government websites, 
communications, and news media, the attacks effectively crippled the ability of the 
government to coordinate their response, present their story to the international world, 
and inform their people. While a majority of people were not directly reliant on the 
Internet, the crippling of government and news media prevented information flow from 
the capital to regional news and government centers. While this obviously affected the 


m The World Bank, “Internet Users (per 100 people): 2007” January 12, 2012, 
http://data.worldbank.org/indicator/IT .NET.USER.P2?page= 1 . 
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citizens’ ability to remain abreast of the situation, it also had a demoralizing effect in that 
connected citizens and media could not access their government in a time of ward^^ 

There are several key points drawn from the level of Georgian dependency 
on connectivity. First, the fact that a minority of the population relied on the Internet in 
the course of their daily lives limited the impact of the attack on the private sector. Unlike 
in Estonia, a majority of the Georgian people did not conduct banking or depend on web- 
based government services. A second point is that the Georgian commercial and 
governmental burgeoning integration of Internet-based technology made this an area 
vulnerable to attack. This is particularly true in light of the fact that the nation was 
inadequately prepared to defend against or counter the cyber-attack. A third point deals 
with the structure of the national dependency. With one company providing 90 percent of 
the services and a majority of the over-land cables providing connectivity going through 
an established adversary, Russia, the Georgian government lacked the diversity of 
connectivity that is necessary to continue continued operations. Not only were their eggs 
all in one basket, but the source of the eggs was an enemy. Individually those issues are 
significant enough to create a very attractive attack surface. Georgia was very fortunate 
that Google, Tulip Systems Incorporated, Poland, and others came to their aid and hosted 
critical government and media services on servers that were outside of Georgia, but 
developing government cyber-conflict policy and laws will likely prevent this from being 
a common course of action in future cyber-conflicts.The final point taken from the 
investigation of NATO’s Cooperative Cyber Defense Center of Excellence, which was 
created in response to the Estonian attacks, states that nations with low dependency on 
Internet connectivity and IT often suffer the most in terms of their ability to efficiently 
push information. 116 One reason is that a robust digital infrastructure makes 
communication much more efficient. The other possible explanation is that when a state 
relies on limited conduits with little redundancy, any disturbance to service can have 
disproportionate effects. 


114 Ibid., 14-15. 
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c. 


Government Involvement 


Investigations of the cyber-attacks against Georgia failed in the attribution 
attempts, but like the Estonian case study, an overwhelming preponderance of evidence 
implicates Russian involvement. One of the more peculiar aspects of the cyber-attacks 
was the precise timeline that it followed compared to the conventional military action by 
Russia. On 19 July, three weeks before the attacks started, network monitoring services 
witnessed a DDOS attack against the website of the Georgian president as well as the 
presence of a command and control server typically used to coordinate botnet attacks. 
The type of command and control server was known to be one used by Russia. This 
preliminary attack on the president’s website lasted 24 hours before the site was moved to 
the United States, and the command and control server went offline shortly thereafter and 
did not come back online until 8 August when the massive cyber-attacks began. Evidence 
indicates that in the three weeks prior to 8 August the attackers were performing 
reconnaissance and coordinating their botnets in anticipation of a massive cyber¬ 
onslaught when Russia became kinetically involved.In the hours prior to Russian 
commencement of military activities, cyber-attacks successfully gained control of state 
computer servers and incapacitated the Georgian government’s ability to either 
effectively coordinate their attacks or communicate with the outside world. The Georgian 
Ministry of Eoreign Affairs immediately fingered Russia in a statement given on their 
website, which was now being hosted by Google, saying that “a cyber-warfare campaign 
by Russia is seriously disrupting many Georgian websites.What is also remarkable 
is that many of the attacks were specifically designed for use against Georgia and were 
developed in some cases years in advance. Some of the DDOS software previously 
discussed was designed specifically for the Georgian infrastructure, while the intricacy of 
certain defacement material indicates that it had been developed at least two years prior 
to the start of the 2008 Russo-Georgian war and by an entity familiar with psychological 


Ibid., 12. 
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operations. 120 it is not reasonable to think that a private citizen hacker would years in 
advance develop weapons specifically intended for use against Georgia without a 
government request or sanction. Developing weapons for use against potential state 
adversaries is the business of the government, regardless of whether they develop it 
themselves or outsource it. 

Not only did circumstantial evidence indicate some measure of Russian 
involvement, but investigations into the event uncovered direct links to Russian 
organized crime, specifically the Russian Business Network (RBN) which is a well- 
known perpetrator of cyber-crime. Many of the servers used to attack the Georgian 
infrastructure were traced to criminal organizations such as RBN and network monitoring 
services even witnessed these servers simultaneously executing criminal attacks against 
unrelated targets. 121 Two points indicate that these organizations were acting at the 
behest of a larger entity such as the Russian government. Like the recruited “hacktivist” 
groups organized on the hacking forums, large criminal organizations have little interest 
in targeting government and communications servers of a state-entity, particularly when 
their normal criminal enterprises are so lucrative. Additionally, there have been several 
allegations that the Russian government regularly uses criminal organizations to carry out 
actions that are too delicate if the actions were to be attributed to the state. 122 

While the direct involvement of the Russian government has yet to be 
proven, circumstantial evidence regarding the government’s affiliation is strong enough 
to form some initial conclusions. The nested timeline, complete with prior notification of 
Russian military action, seems to indicate that the government was certainly involved. 
While it may not have been government personnel or computers conducting the attacks, 
overwhelming evidence supports that Russia served as the puppet-master behind the 
cyber-onslaught. Much as was the case in Estonia, the government likely either directly 
oversaw or sanctioned deliberate preparations such as the recruitment of able bot masters 
with sufficient zombie armies, distribution of malicious code with intended targets, 

120 aFCEA, The Russo-Georgian War 2008, 9. 

121 Bumgarner and Borg, Overview by the U.S.-CCU , 4-5. 
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development of psychologically effective defacement campaigns, and coordinated 
approval for the cyber-attacks to commence. All of these activities could be 
surreptitiously performed so that traceable ties and incrimination of government sources 
were nearly impossible after the fact. While a bot master or criminal organization could 
have launched piecemeal attacks, but it took a state entity to recruit and bring all elements 
together and concentrate their effects at the decisive time and place. 

3. Level of Dependent Variable 
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Figure 4. Effectiveness of Cyber-attacks Against Georgia 

Available evidence indicates that the offensive cyber-attacks launched against the 
nation of Georgia were both shallow and narrow, thereby placing it in the lower-left 
quadrant (Figure 4). The breadth of the attack was narrow as the primary targets were 
government websites and media. Although the Georgian digital infrastructure was 
considerably less robust than that of Estonia, there remained additional sectors that were 
left untargeted, presumably because attacking them would not have contributed to the 
aggressor’s seemingly military objective. The depth of the attack was relatively shallow 
as the primary effects were denial of service and defacement. The denial of service was 
designed to limit the Georgian government’s ability to communicate with the outside 
world or to effectively coordinate its military response, while the defacements were 
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intended to introduce incendiary propaganda. These attacks were extremely successful, 
but only to the limited shallow depths to which that they were intended to reach. 
Significant disruption, destruction, or alteration of data was neither present in this attack, 
nor necessary to accomplish the objectives. 

4. Conclusions 

The cyber-attacks conducted against Georgia help to further develop the role 
played by the proposed causal factors in determining the level of impact. When viewed 
against the backdrop of what was technologically possible, the sophistication of these 
attacks was unremarkable. DDOS and web-defacements were again the primary tools 
which thereby severely limited the depth of the attacks. There is evidence of occasional 
use of SQL injection, but this technique was uncommonly altered to produce DDOS-like 
effects rather than the more destructive effects that it is capable of producing. And 
although unsophisticated in nature, the depth reached by the cyber-attacks was again 
augmented by the totally inadequate preparation of the Georgian government to defend 
against such an event. The Georgian government had to employ NATO CERT teams and 
accept various international offers to host critical government web services in order to 
alleviate the effects of the cyber-attacks. The Estonian incident was only a year old and 
the lessons-learned from that event had not widely taken root, particularly to nations with 
limited dependence on Internet connectivity. Although the simplicity of DDOS 
contributes to its allure and success as a cyber-weapon, more defensively prepared 
nations would not have so easily succumbed to these attacks. 

Aspects of Georgian digital dependency offer some very valuable insight towards 
how this factor affects the level of impact. Eirst, the non-dependence of the average 
Georgian citizen reduced the breadth of the vulnerable attack surface available to the 
aggressor. While this could arguably be one reason for the limited breadth of the attack 
against Georgia, it seems more plausible that their non-reliance is coincidental to the 
narrow breadth as the objectives of the attack did not require a more expansive breadth. 
The point is worth noting that reduced dependence does reduce the breadth of an attack, 
but if the objectives can be met by a narrow attack, then the level of the state dependency 
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is not important. The second point about state dependency highlighted by this case study 
is that the depth of an attack can be exacerbated by a high dependency on assets that have 
limited diversity. One company controlled over 90 percent of the nation’s commercial 
traffic, while most of the physical lines providing connectivity ran through the territory of 
Georgia’s most dangerous enemy. 1^3 Both of these factors intensified the depth of the 
cyber-attacks as Georgia was unable to unilaterally overcome the effects created by this 
dependency. They were indeed fortunate for the assistance of several foreign 
governments and commercial enterprises. 

The offensive cyber-attacks against Georgia were never positively attributed to 
the aggressor, although circumstantial evidence overwhelming indicated heavy Russian 
involvement. Using their involvement as an assumption, several points can be extracted 
from this case study regarding the effect that state involvement has on a cyber-attack’s 
level of impact. The depth of the attack was directly affected by the creation of a digital 
cyber-militia that used relatively simple attack methods. Much as a hastily recruited 
conventional militia is generally incapable of complex military operations, the cyber¬ 
militia used in this attack also had limited capability. The aggressing entity understood 
this fact, but likely concluded that increased depth carried a pronounced risk of their 
implication. This is an important point to make because although governments have the 
ability to greatly increase the depth of attack, their involvement generally limits the depth 
in fear of reprisals. State involvement also directly impacted the breadth of the attack by 
their provision of a list of websites for their cyber-militia to target. These targets 
consisted mainly of government and media websites and the target list was posted in 
several blogging and chat-room websites. By viewing the government’s role as similar to 
that of a marionette, it is not difficult to imagine the breadth of the attack being much 
wider had a larger variety of targets been supplied. The reason for the restraint it difficult 
to attribute, but the most probable reasons are that the narrow attacks met the larger 
operational objectives and the very narrow attack carried less risk of external 
condemnation. 


Tikk et ak, Cyber Attacks Against Georgia, 6,14. 


51 



A final point regarding government involvement applies to both the breadth and 
depth of the attack. The succinct coordination between conventional military and cyber¬ 
operations allowed for an attack of limited depth and breadth to be successful. Because 
the effects of the attack were perfectly synchronized with conventional military 
operations, the aggressing state did not need to introduce more powerful cyber-attacks 
with more lasting effects. This synchronization facilitated a minimal use of cyber-force 
and thereby reduced the risk to positive attribution or aggressive adverse international 
response. 

D. CASE STUDY CONCLUSIONS 

Before discussing the conclusions induced from the case studies it is important to 
mention that they were limited in the scope of what they could examine. There are three 
reasons for this. First, because the advent of cyber-weapons has really only been 
significant in the last two decades there are a limited number of cases from which to 
choose. Secondly, of the available case studies there is normally a very limited amount of 
information that is released. The aggressor state has obvious reasons for not releasing the 
information, while the targeted state does not generally desire to elaborate upon their 
vulnerabilities. The third limiting factor of these case studies was self-imposed. In order 
to extract as much valuable information as possible from the case studies it was necessary 
to limit the range of certain variables, specifically the intent of the aggressing state. 1^4 
With the intent fixed as seeking to subvert the ability of the government to successfully 
protect and provide services for their citizens, the two most prominent case studies were 
the cyber-attacks against Estonia and Georgia. It is also important to mention that both of 
these attacks were allegedly perpetrated by Russia, but this was a difficult coincidence to 
avoid in such a narrow field of potential case studies. 1^5 

The case studies revealed several important insights into the influence that 
proposed causal factors had on the cyber-attack’s level of effectiveness. The proposed 
causal factors examined throughout these case studies were the sophistication of the 
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cyber-weapons, the targeted state’s level of dependeney, and the level of the aggressor 
state’s government involvement. The most important point to make is that government 
involvement in these eases was never proven, so their role is alleged but supported by 
very strong eireumstantial evidenee. That being said, the government’s involvement in 
eaeh of the case studies played the largest role in determining the ultimate level of the 
attack’s effectiveness. Evidence examined in the researeh indieates that Russia was the 
driving foree behind eaeh attaek and exerted their influenee by reeruiting an outsourced 
eyber-militia, providing lists of targets, and eoordinating the timeline of the attacks. 
Russia’s recruitment of a eyber-militia by making inflammatory publie statements against 
their enemies or more aetive reeruitment in blogs and ehat-rooms is an essential point to 
examine because it eould very easily serve as a eommon praetiee of other aggressor 
states. The benefit of this praetiee is that it provides the aggressor state with plausible 
deniability. A state ean easily serve as the ignition to tinder without demonstrating clear 
violation of any international law. The pulpit serves as a way to ineite the eyber-militia, 
while blogs and ehat-rooms provide the anonymity and outlet for the government to 
exercise limited eontrol and eoordination. The price of this plausible deniability is that 
the state saerifiees their direet eontrol of the operation, and speoifieally the level of 
destruetion that is possible. By reeruiting an online eyber-militia, the state essentially 
relegates itself to the tools and eommon praetiees of haekers sueh as DDOS, SQL attaeks, 
and website defaeement. Russia eertainly has a very advaneed and destruetive eyber- 
weapons eapability and eould have eondueted attaeks of mueh greater severity than 
actually took place in Estonia and Georgia, but this eomes with a higher risk of 
attribution. Non-state entities do not typieally have the resources, skill, or protection 
necessary to exeeute eyber-attaeks that are both wide and deep, so it is likely that use of 
weapons of this ealiber would lead to inereased risk to the state. ^26 This inereases the risk 
beeause wide and deep attaeks would require weapons that only states possess, thereby 
increasing their risk of attribution. Additionally, very destruetive attacks would likely 
invite more aggressive international opposition and investigation. There are two main 
points to take away from this diseussion of state involvement. The first point is that there 
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is a tradeoff between level of effectiveness of a cyber-attack and a state’s ability to retain 
plausible deniability. The second point derived from the case study research is that state 
involvement limits that the effectiveness of a cyber-attack in both its depth and breadth. 
Although some states possess advanced cyber-weapons, the risks associated with their 
employment are great. The intent of the aggressor state in these case studies did not 
warrant assuming that risk, but cyber-attacks such as Stuxnet demonstrate that is not 
always the case. It is worth noting that the corollary of this argument is that non-state 
actors that acquire destructive cyber-weapon technology could pose a very serious threat. 

Sophistication of the weapons employed did affect the depth and breadth 
of the attacks. Because the cyber-weapons employed were mainly individual hackers and 
botnet armies, the ability to deeply affect the target’s digital infrastructure was not 
possible. Appropriation of slave computers by bot-masters to carry out DDOS attacks 
allowed for a much wider breadth than would have been possible had the attack relied 
solely on the willing recruitment of hackers. But as a causal factor, the research indicates 
that the level of sophistication was mainly a result of government involvement. So, while 
the weapon sophistication does affect the effectiveness of the attack, it must be noted that 
the level of sophistication is largely a result of state participation. The point to take away 
from this discussion is that highly sophisticated weapons are not necessary to have an 
effect. Large numbers of unsuspecting computers can greatly increase the breadth of an 
attack, as can large and coordinated groups of self-taught computer operators that can 
follow instructions. Both of these options offer several advantages to complex weapons, 
mainly that they are cheaper and protect plausible deniability. However, not all targets 
are susceptible to broad, but shallow attacks and may require use of much more 
sophisticated cyber-weapons. An attack on a SCADA or satellite guidance system, for 
example, would require a deep and narrow attack. 

The last proposed causal variable, state dependency, was also instrumental in 
determining the effectiveness of a cyber-attack. There are several points that were 
revealed in the course of the case studies that are worth mentioning. One of the more 
apparent conclusions is that the target state’s dependency upon digital connectivity can 
facilitate a broader cyber-attack, which in turn increases the level of effectiveness. The 
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high degree of the Estonian population’s reliance provided a rich target field. It was not 
difficult for Russia to find vulnerabilities to attack, whereas the target field in Georgia 
was significantly more selective. This limited availability of targets consequently 
decreased the breadth of the attacks, and because depth was not increased in 
compensation, the overall effectiveness. 

There are a couple other points to make about the state’s dependency as a causal 
variable. State dependency plays a more important role in increasing the effectiveness 
when the aggressor’s intent can be met by executing broad attacks. There were several 
ways to achieve the intended end-state of subverting the government’s ability to protect 
and provide services to its people, one of which could be accomplished by a relatively 
easy and cheap attack on the availability of digital services. Russia did not need to deeply 
affect a target in either case in order to achieve their goals. Broad attacks against an 
Estonian society with very high reliance upon the Internet did alter the conveniences of 
daily life for several weeks, but that was essentially the limit of the damage. The attack 
on Georgia also required limited depth as the goals were to prevent internal and external 
communication to coordinate the government’s response to Russian military operations. 
Had either scenario called for extremely narrow and specific targeting of a capability then 
the state’s dependence upon networked technology would be irrelevant. The only thing 
that matters in that narrow case is whether that asset can be reached by the available 
arsenal of cyber-weapons. 

Through their cyber-attack on Georgia, Russia also demonstrated that a high 
degree of reliance on digital technology by the population is not essential to execute a 
successful attack. As long as there is some variant of reliance and vulnerability that the 
aggressor can target then a state is in danger of falling victim to an attack. In both of the 
case studies government use of the Internet coupled with a lack of preparedness to defend 
their networks created critical vulnerabilities. Although lower Georgian reliance reduced 
the effectiveness of the attacks, it is important to note that the attacks were still executed 
effectively. 
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IV. CONCLUSION 


Advances in cyber-technology over the past decades have given rise to the use of 
computer attacks as an effective weapon in conflictual relations between states. This 
research intended to refine some of the characteristics of this weapon’s employment and 
draw some initial conclusions that provide insight into the role it plays in conflictual 
relationships. It was first necessary to establish a common framework by which to 
conduct this research. ^27 xhis included exploring the assumptions and characteristics of 
traditional structural realist theory, examining a game theoretical model that demonstrates 
how states interact, and creating a list of attributes that help measure and describe the role 
that selected weapons have on interaction between states in this environment. The 
attribute framework was then applied to selected instances of offensive cyber-weapons. 
Of the attribute categories, the research focused on three factors and examined their role 
in determining the level of effectiveness of offensive cyber-attacks in Estonia in 2007 and 
Georgia in 2008. The case study conclusion provided refined analysis on the relationship 
between the proposed causal factors and an attack’s level of effectiveness and extracted 
the trends that are relevant to understanding the construct of similar instances of cyber¬ 
conflict. 128 The last chapter of the research comments on the role of offensive cyber¬ 
weapons in the arsenal of tools of interaction between states. Provided also are some 
additional considerations and recommendations drawn from the case studies that are 
important to highlight, but did not relate specifically to the relationship between the 
selected causal factors and the level of effectiveness. Recommendations for further 
research is the last section and aims to focus research efforts towards issues that further 
the understanding of the causal mechanics of offensive cyber-attacks. 

A. CYBER-WEAPON ATTRIBUTES 

The case studies provided an opportunity to examine the causal role of 
selected factors on determining the level of effectiveness of an offensive cyber-attack. 

127 Goertz, Social Science Concepts: A User’s Guide , 35. 
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The case study conclusions summarized the refined and nuanced influence of the selected 
factors. There were additional items of interest that arose throughout the case studies that 
could be of particular importance to those developing policy on the use of cyber¬ 
weapons. Some of the considerations are recommendations based upon non-causal factor 
trends that were identified through the course of the case studies, while other 
considerations are valid, but research is too premature to identify and suggest a course of 
action. The intent of citing those issues is to identify subjects that are very relevant to 
cyber-policy but that need more refinement. 

Although only three specific proposed factors were examined, this research did 
shed light on additional attributes of cyber-weapons as a tool of diplomacy in conflictual 
relations between states. The potential destructiveness of the weapons is immense, but 
largely determined by the intended effects, employed technology, and level of state 
involvement. Unpredictable collateral damage imposed by the attack is largely dependent 
upon its depth. For example, a power distribution interruption suffered by ten million 
people for 30 minutes (narrow and shallow) is likely to incur less unpredictable collateral 
damage than a similar attack that destroys transformers and electrical control networks 
(narrow and deep). The deeper attack inhibits power distribution for an unknown amount 
of time and creates the environment for development of second and third-order effects. 
Comments made by a NATO spokesman following the attack on Estonia indicate that 
state control of cyber-weapons is high.i29 n is important to understand that individual 
hackers and criminal organizations do have their own limited arsenals of cyber-weapons, 
and that the NATO spokesman’s comments imply that state control is necessary to 
provide either the planning and coordination effort or the weaponry necessary to be 
effective in a cyber-attack on a state-level scale. 

Plausible deniability and covert use are two of the most troublesome 
characteristics of offensive cyber-weapons because they complicate the understanding of 
roles between the actors in conflict. Largely as a result of these aspects, the case studies 
demonstrate that the deterrent capabilities of cyber-weapons are not as well defined as 
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those of the traditional tools of interaction. Understanding the interaction between states 
within the traditional realist framework becomes very difficult when actors can secretly 
employ weapons, and more importantly, plausibly deny the origin of use. In the cases of 
Estonia and Georgia, the inability to forensically attribute the attacks allowed the 
aggressor state, presumably Russia, to avoid any punitive action. The increasing concern 
in America regarding the Chinese role in cyber-espionage and theft of billions of dollars 
of economic and intellectual property, all behind the veil of plausible deniability, 
demonstrates the immediate relevancy of this issue. plausible deniability was not 
possible when using conventional military action or nuclear weapons. RMA-enhanced 
weapons increased covert employment, reduced collateral damage, and allowed for 
surgical precision, but still did not provide non-attribution capability. The capacity for 
cyber-weapons to be used by states without attribution is an issue that will continue to 
complicate state interaction in a conflict until this capability is either defeated by 
advances in cyber-forensics or thwarted by policy. This will be further examined in the 
subsequent section on policy recommendations. One last point regarding covert 
employment and plausible deniability is that that these characteristics of cyber-weapons 
create a better opportunity for the targeted state to create false perceptions regarding the 
effects. Although propaganda spins the effects of all tools of interaction, the difficulty in 
attributing cyber-weapon use makes it easier for the targeted state to manipulate the 
narrative and popular perception of an offensive cyber-attack regardless of reality. 

Contestability of cyber-weapons adds an interesting element to the relationship 
between states. Conventional military action is contestable in that states can reasonably 
believe that they possess the ability to counter or defend against an opponent’s offensive 
strike, while the destruction inherent with the use of nuclear weapons made their 
contestability impossible. Weapons of the RMA were contestable and introduced an 
uncertainty that is also characteristic of cyber-weapons. Technologic advances coupled 
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with secrecy made it difficult to determine the exact capabilities of the weapons being 
developed by one’s adversary and whether defenses were adequate to counter the 
weapons. Because RMA weapons employed kinetic means, the realm of possible targets 
was large, but comprehensible. Continued technologic advances, increased digital 
connectivity, and substantial secrecy around all aspects of cyber-weapons enhance their 
contestability, while the abilities to be employed both kinetically and non-kinetically 
exponentially multiply the number of potential attack surfaces. The ambiguity of this 
weapon’s development and capabilities makes it difficult for a state to determine if it is 
offensively adequate for the intended purpose or if their defenses are robust enough to 
protect against the enemy’s cyber-weapons. 

A final point revealed by the case studies was that a cyber-attack expands the 
attacking force to anybody sympathetic to adversary’s cause. In the Georgian case, 
attacks were traced to sympathetic hacker citizens in Ukraine and Latvia. ^32 Assuming 
that these attackers are lower-level individuals without access to cyber-tools that can 
cause catastrophic damage (and thereby invite international scrutiny) their activity on 
behalf of the aggressing state is almost a no-lose situation. It frees government resources 
to focus on other aspects of the hostility, but most importantly provides the state with 
plausible deniability. While the state would have difficulty in controlling some of the 
more radical hackers, it is safe to assume that they are the minority and that their small 
numbers prevent them from massing significant effects. The large bot-master command 
and control servers are likely to be much more accessible to government officials seeking 
to alter or curb their activity. 

B. POLICY CHALLENGES AND RECOMMENDATIONS 

The results of this research lead to several policy recommendations that will focus 
on limiting an adversary’s ability to benefit from an offensive cyber-attack. The 
recommendations focus on defense because it is of critical and immediate importance in 
order to protect against potential adversaries, and also because the offensive use of 
weapons is both more intuitive and better-suited for classified research. 
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The first recommendation is that states need to be held accountable for actions 
originating from within their borders through updates to applicable international laws. 
While positively attributing a cyber-attack is difficult, the case studies both revealed 
circumstantial and tangible evidence that indicated the identity of the aggressor. In 
addition to inflammatory government rhetoric and Russian attack origins in both case 
studies, the government of Russia refused to cooperate with an international agreement 
requiring their cooperation in the Estonian investigation. 133 Allowing Russia to protect 
the guilty parties, whether it was the actual government or a government-protected entity, 
without collective international chastisement establishes a dangerous precedent. When 
there are no consequences for hosting cyber-attacks, then states will continue to hide 
behind the plausible deniability while secretly manipulating their cyber-forces as desired. 
The extended routing of data and the ability to launch attacks from remote servers makes 
it very easy to mask one’s identity and certainly complicates any effort to attribute 
attacks, but if states were held liable for harboring certain types of malicious activity then 
those states would be forced to become more vigilant. Although forensically more 
difficult, in theory this is no different than a state harboring terrorists. It should be the 
responsibility of the state to monitor their networks and prevent promulgation of 
malicious cyber-attacks. This responsibility is essential to make state governments 
carefully measure their actions and those within their borders. 

The second recommendation calls for an update to international laws and treaties. 
Perhaps the most significant impediment to the proper prosecution of cyber-attacks is the 
shortcoming of the international legal framework. Because it was written before cyber¬ 
attacks existed, the relevant legal frameworks of international law, international human 
rights law, and international humanitarian law are fragmented and provide adequate area 
for adversary states to operate without retribution. Specifically determining when a 
cyber-attack meets the United Nations (UN) charter criteria for an armed attack and if 
that attack warrants UN-sanctioned self-defense are two issues that complicate efforts to 
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effectively deal with cyber-attacks The difficulty of attribution further complicates a 
clear delineation between acts of cyber-terrorism, cyber-crime, and cyber-warfare. Had 
there been internationally agreed-upon standards for the benchmarks of cyber-attacks and 
the requirements for attribution, the Russian attacks against Estonia and Georgia may 
have been met with authoritative international counter-action. Establishment of laws that 
deal specifically with the nuances of the cyber-domain and establish guidelines sufficient 
to attribute cyber-attacks will create a framework that will better deter an actor’s 
exploitation of cyber-weapons. Hand in hand with an update to the legal framework is 
the establishment of a representative international body that develops standards for cyber 
security. 136 Such an organization would allow for pertinent cyber-security issues to be 
discussed and solutions agreed upon by its member-states. 

The third recommendation takes the additional step of arguing for American 
participation in cyber-treaties that restrict the use of cyber-weapons. So far this issue has 
been divisive and consequently failed to be implemented. Opponents argue that signing a 
restrictive arms-control treaty annuls American IT advantages and would prevent 
exercise of actions critical to national security such as Stuxnet.i37 On the other hand, 
proponents of establishing treaties contend that cyber-weapons should be viewed as 
weapons of mass destruction and that increased transparency and voluntary participation 
in restricting their use is essential to continued security. 138 Much like the transparency of 
nuclear capabilities during the Cold War created predictable interaction between states 
proponents argue that the covert and clandestine use development of cyber-weapons as a 
matter of state policy will foster instability. 139 The recommendation to participate in 
multilateral international treaties is based on the contention that the devastating effects of 
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cyber-weapons are so great, particularly when the capabilities are secretly guarded, that 
collective restriction and enforcement provides the best chance to ensure security among 
rational actors. Additionally, entering into legal agreements provides a solid base from 
which to prosecute those who violate it—provided that the transgression can be proved. 

The difficulty in attribution leads to the fourth recommendation which is to 
continue investing in new technology in order to gain and maintain an edge on 
adversaries. One area for investment is in the field of digital forensics. A nebulous cyber¬ 
domain that encompasses rapidly changing technology provides an advantage to those 
who wish to remain anonymous, order to overcome the potential advantages gained 
by non-attributable attacks it is imperative to fund scientific advances in digital forensics. 
A second area for investment is quantum computing. Quantum computing is nascent 
technology that will completely revolutionize the landscape of IT. It has the power to 
negate all current cryptography and make code-breaking a simple process. Similarly, 
once quantum computing is used to protect a system then current methods of hacking are 
rendered useless. Russia, China, and the United States are competing to harness this 
technology into a usable form, and needless to say the winner will gain a remarkable 
advantage over adversaries.The United States is currently losing over $13 billion 
annually to cyber-espionage and theft, much of which is reportedly orchestrated by the 
Chinese government, to adversaries using traditional methods of defeating 
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cryptography. 142^ 143 likely that this financial loss would pale in comparison to the 
financial damage that adversaries could cause using quantum computing. For this reason, 
quantum computing technology is a second area that should continue to receive 
substantial government support. 

The final recommendation deals with the establishment of adequate cyber¬ 
security defenses. While the government is responsible for protecting its own cyber¬ 
assets, the private sector is left largely unregulated to defend itself. This is a problem 
because the private sector controls a substantial amount of critical infrastructure and is 
also heavily involved in national and cyber-security contracts, production, and 
maintenance. Some advocate providing incentives for businesses to meet cyber-security 
standards instead of mandating compliance, but this approach is insufficient. The 
government needs to establish and enforce higher cyber-security standards in the private 
sector in order to stop the outpouring of money and information critical to national 
security. While serving as a special adviser to the White House regarding cyber-affairs in 
the early 2000s, Richard Clarke recommended the establishment of cyber-security 
regulations for the private sector, but was reportedly ignored in fear of the financial and 
political backlash from big businesses. ^45 Perhaps a mixture of incentive and regulation is 
the best way for both government and the private sector to have ownership of cyber¬ 
security, but what is becoming more apparent is that the current solution to private sector 
cyber-security is inadequate and jeopardizes American national interests. 
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c. 


RECOMMENDATIONS FOR FURTHER RESEARCH 


The assumptions for interactions between states were based upon traditional 
realist theory, particularly those proposed by Waltz and Fearon. This analysis assumed 
that the actors were rational and either risk-neutral or risk-averse. While this framework 
accurately describes the interaction of most of the international community, there are 
states whose actions do not follow the tenets of traditional realism. There is certainly a 
need for exploratory research regarding the potential use of cyber-weapons by states or 
groups that are neither risk-neutral nor realist. While the lack of empirical evidence 
makes it difficult to draw fact-supported conclusions, this research is a valid thought 
experiment that could produce recommendations for policy-makers and security experts 
on how to defend against these actors. 

In order to best determine the role that the proposed causal variables had on the 
level of effectiveness it was necessary to select case studies of similar intent. This had the 
obvious impact of limiting the number of case studies available, but also limited the 
applicability of the conclusions. There is opportunity for further research to select case 
studies with a different intent than attacks on availability of data in order to subvert the 
government’s ability to provide services to its people. Cases where cyber-attacks attempt 
to affect the integrity of data, for either destructive or non-destructive purposes, are some 
examples of different intents. 

There is opportunity to examine the Estonian and Georgian case studies again 
with the same intent while proposing different causal variables. That research would help 
to provide a more robust assessment of the exact mechanics of each case study. Because 
of the secrecy involved with the specifics of cyber-weapons and cyber-attacks, it is 
difficult to draw definitive conclusions when examining only selected causal variables. In 
an effort to protect plausible deniability, states are sometimes forced to act in a manner 
that makes it difficult to determine if certain effects are intended or unintended. It is 
possible that the role of a proposed variable in the resulting level of effectiveness of an 
attack has been improperly ascribed. An investigation of all causal variables would help 
to shed light on all aspects of the case study and better determine the role each played. 

Unfortunately time prevented an examination of this rigor. 
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The research conducted in this thesis was mainly qualitative due to the lack of 
quantitative data available on the specifics of the attack. It also became apparent there is 
not a commonly used quantitative metric that sheds light on a state’s vulnerability to 
cyber-attack. Organizations such as the World Bank publish an annual report that details 
the Internet’s penetration rate among the population, but there is not a definitive way to 
determine the approximate vulnerability of a state. ^^6 jq do so would likely require at 
least an analysis of the target state’s digital assets, the difficulty in introducing a cyber¬ 
weapon to affect those assets, and the sufficiency of their defense measures. While 
determining the specific cyber-vulnerability of a state is likely impossible, the fields of 
modeling and simulation could be very useful in assessing weaknesses and providing 
decision-makers with better metrics than Internet penetration rates. 

A final suggested area for future research is to explore the ramifications of a 
declaratory retaliation policy. The development of second-strike nuclear capability and 
policy in retaliation for a first-strike nuclear attack was the significant foundation of 
strategic deterrence theory during the Cold War.i47Rapid and clandestine development of 
cyber-weapons coupled with the additional complexities introduced by nebulous 
international opinion on how to enforce cyber-security make this topic worth 
investigating. By creating a red-line that evokes retaliation when crossed by a cyber¬ 
attack, the intent is to deter the use of first-strike cyber-attacks. Some of the issues to 
consider when examining this policy are whether retaliation should be in-kind, the 
appropriate level of response for a given cyber-attack, and how to proceed when 
attribution is not concrete. 
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